Edit tour

Windows Analysis Report
powershell.exe

Overview

General Information

Sample Name:	powershell.exe
Analysis ID:	668013
MD5:	c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1:	f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256:	73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Queries the installation date of Windows

Detected potential crypto function

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: powershell.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: powershell.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: powershell.pdbUGP source: powershell.exe
Source:	Binary string: powershell.pdb source: powershell.exe

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACD76F malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

0_2_00ACD76F

Source: powershell.exe, 00000000.00000002.708092999.0000000003582000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.712431385.0000000005611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: powershell.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: powershell.exe, 00000000.00000002.712749418.000000000565C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs powershell.exe
Source: powershell.exe, 00000000.00000002.712431385.0000000005611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs powershell.exe

Source: powershell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00AC96A0	0_2_00AC96A0
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00ACA0E0	0_2_00ACA0E0
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_07C394D8	0_2_07C394D8
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_07C394D8	0_2_07C394D8
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_07C3E1E0	0_2_07C3E1E0
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_07C3E1F0	0_2_07C3E1F0
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_07C30040	0_2_07C30040
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_07C3001B	0_2_07C3001B

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACA3B0 FormatMessageW,GetLastError,FormatMessageW,??_V@YAXPAX@Z,LocalFree,??_V@YAXPAX@Z,LocalFree,??_V@YAXPAX@Z,LocalFree,

0_2_00ACA3B0

Source: powershell.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\powershell.exe "C:\Users\user\Desktop\powershell.exe"
Source: C:\Users\user\Desktop\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACEB31 FindResourceExW,LoadResource,

0_2_00ACEB31

Source: C:\Users\user\Desktop\powershell.exe

File created: C:\Users\user\Documents\20220718

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyke4on2.1v5.ps1

Jump to behavior

Source: classification engine

Classification label: clean6.winEXE@2/2@0/0

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACD283 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,RegGetValueW,memset,RegGetValueW,SetConsoleTitleW,free,CoCreateInstance,CoCreateInstance,??_V@YAXPAX@Z,free,free,#30,free,free,#30,free,free,

0_2_00ACD283

Source: C:\Users\user\Desktop\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: powershell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: powershell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: powershell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: powershell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: powershell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: powershell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: powershell.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: powershell.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: powershell.pdbUGP source: powershell.exe
Source:	Binary string: powershell.pdb source: powershell.exe

Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00AD02A8 push edi; retf	0_2_00AD02A9
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00ACB80D push ecx; ret	0_2_00ACB820
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00AC33BA push eax; retn 0000h	0_2_00AC3491
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00ACB3CC push ecx; ret	0_2_00ACB3DF

Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Window / User API: threadDelayed 9014

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe TID: 5836

Thread sleep time: -11068046444225724s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACD76F malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

0_2_00ACD76F

Source: C:\Users\user\Desktop\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00ACB4F0 SetUnhandledExceptionFilter,		0_2_00ACB4F0
Source: C:\Users\user\Desktop\powershell.exe	Code function: 0_2_00ACB17C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00ACB17C

Source: C:\Users\user\Desktop\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Code function: GetLocaleInfoW,wcsncmp,

0_2_00ACE702

Source: C:\Users\user\Desktop\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACE80D memset,GetVersionExW,GetVersionExW,

0_2_00ACE80D

Source: C:\Users\user\Desktop\powershell.exe

Code function: 0_2_00ACB715 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00ACB715

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
powershell.exe	0%	Virustotal	Browse
powershell.exe	0%	Metadefender	Browse
powershell.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.712431385.0000000005611000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	668013
Start date and time: 18/07/202208:42:44	2022-07-18 08:42:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	powershell.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean6.winEXE@2/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 6.8% (good quality ratio 5.9%) Quality average: 62.8% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 34 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 40.125.122.176, 20.54.89.106, 20.223.24.244, 52.152.110.14, 52.242.101.226
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:44:27	API Interceptor	38x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqblenui.nu5.psm1

Download File

Process:	C:\Users\user\Desktop\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyke4on2.1v5.ps1

Download File

Process:	C:\Users\user\Desktop\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.502549953174867
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	powershell.exe
File size:	433152
MD5:	c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1:	f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256:	73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512:	6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
SSDEEP:	6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
TLSH:	B5947C8367D45295EC3FC431DC3745610622BCBDDBD09BDB99C8B6390A702D09A3EA6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r...gg..r...gg..Richfg.........................

File Icon


Icon Hash:	14ec98b2b8e4d600

Static PE Info

General

Entrypoint:	0x40afc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x30F12F73 [Mon Jan 8 14:51:31 1996 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	194427a488ed1dd0a91731658b071667

Entrypoint Preview

Instruction
call 00007FE154B40CC5h
jmp 00007FE154B4034Eh
jmp dword ptr [004121F4h]
cmp ecx, dword ptr [00411368h]
jne 00007FE154B40575h
retn 0000h
jmp 00007FE154B4073Bh
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, 004113A4h
push esi
call dword ptr [004120E8h]
mov ecx, dword ptr [00411360h]
mov eax, dword ptr [ebp+08h]
inc ecx
mov dword ptr [00411360h], ecx
push esi
mov dword ptr [eax], ecx
mov eax, dword ptr fs:[0000002Ch]
mov ecx, dword ptr [004116DCh]
mov ecx, dword ptr [eax+ecx*4]
mov eax, dword ptr [00411360h]
mov dword ptr [ecx+00000004h], eax
call dword ptr [00412078h]
push 004113A8h
call dword ptr [00412070h]
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, 004113A4h
push edi
call dword ptr [004120E8h]
mov esi, dword ptr [ebp+08h]
cmp dword ptr [esi], 00000000h
jne 00007FE154B40581h
or dword ptr [esi], FFFFFFFFh
jmp 00007FE154B4059Bh
push 00000000h
call 00007FE154B405A2h
pop ecx
jmp 00007FE154B4055Eh
cmp dword ptr [esi], FFFFFFFFh
je 00007FE154B40563h
mov eax, dword ptr fs:[0000002Ch]
mov ecx, dword ptr [004116DCh]
mov ecx, dword ptr [eax+ecx*4]
mov eax, dword ptr [00411360h]
mov dword ptr [ecx+00000004h], eax
push edi
call dword ptr [00412078h]
pop edi
pop esi

Rich Headers

Programming Language:

[IMP] VS2008 build 21022
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12208	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x57d88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6b000	0x127c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4900	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1694	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x15e8	0xac	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12000	0x204	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf35c	0xf400	False	0.457367443647541	data	5.675599809360563	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x11000	0x938	0x400	False	0.439453125	data	4.3874403980662935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x12000	0xcd8	0xe00	False	0.44614955357142855	data	5.292395568542356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x13000	0x57d88	0x57e00	False	0.3494065611664296	data	5.3056762942545195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6b000	0x127c	0x1400	False	0.7013671875	data	6.257290188908493	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x6acb0	0xd8	data	English	United States
RT_ICON	0x13c48	0x2fbe	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x16c08	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x1ae30	0x25a8	data	English	United States
RT_ICON	0x1d3d8	0x1a68	data	English	United States
RT_ICON	0x1ee40	0x10a8	data	English	United States
RT_ICON	0x1fee8	0x988	data	English	United States
RT_ICON	0x20870	0x6b8	data	English	United States
RT_ICON	0x20f28	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x21408	0x668	data	English	United States
RT_ICON	0x21a70	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2296940798, next used block 15239304	English	United States
RT_ICON	0x21d58	0x1e8	data	English	United States
RT_ICON	0x21f40	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x22068	0xea8	data	English	United States
RT_ICON	0x22f10	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14019316, next used block 14479096	English	United States
RT_ICON	0x237b8	0x6c8	data	English	United States
RT_ICON	0x23e80	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x243e8	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x66410	0x25a8	data	English	United States
RT_ICON	0x689b8	0x10a8	data	English	United States
RT_ICON	0x69a60	0x988	data	English	United States
RT_ICON	0x6a3e8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x21390	0x76	data	English	United States
RT_GROUP_ICON	0x6a850	0xbc	data	English	United States
RT_VERSION	0x6a910	0x39c	data	English	United States
RT_MANIFEST	0x135a0	0x6a3	XML 1.0 document text	English	United States

Imports

DLL	Import
msvcrt.dll	_onexit, __dllonexit, _unlock, _lock, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __wgetmainargs, ?terminate@@YAXXZ, __p__commode, ??1type_info@@UAE@XZ, _controlfp, _XcptFilter, _except_handler4_common, memcmp, _vsnwprintf, _wcsicmp, _wcsnicmp, bsearch, fclose, _wfopen, _itow_s, wcstoul, wcschr, __uncaught_exception, memmove, memcpy, _CxxThrowException, ?what@exception@@UBEPBDXZ, ??1exception@@UAE@XZ, ??0exception@@QAE@ABV0@@Z, ??0exception@@QAE@ABQBDH@Z, ??0exception@@QAE@ABQBD@Z, _callnewh, malloc, wcsncmp, wcsrchr, free, _purecall, ??3@YAXPAX@Z, memcpy_s, ??_V@YAXPAX@Z, __CxxFrameHandler3, _amsg_exit, memset
ATL.DLL
KERNEL32.dll	CreateFileMappingW, FreeLibrary, LoadResource, FindResourceExW, UnmapViewOfFile, GetVersionExW, GetLocaleInfoW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, SearchPathW, MapViewOfFile, GetTickCount, GetSystemTimeAsFileTime, LoadLibraryExW, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SleepConditionVariableSRW, WakeAllConditionVariable, GetModuleFileNameW, ReleaseSRWLockExclusive, Sleep, IsWow64Process, SetConsoleTitleW, GetFileType, VerifyVersionInfoW, GetProcAddress, GetModuleHandleW, GetCurrentThreadId, GetModuleHandleExW, GetStartupInfoW, VerSetConditionMask, FindFirstFileW, SetErrorMode, LocalFree, CompareStringW, WriteConsoleW, SetLastError, GetLastError, GetCurrentProcess, GetStdHandle, WriteFile, FormatMessageW, ExpandEnvironmentStringsW, GetFileAttributesW, CreateFileW, FindClose, SetThreadUILanguage, AcquireSRWLockExclusive, CloseHandle
OLEAUT32.dll	SysAllocString, SafeArrayPutElement, VariantClear, SafeArrayCreate, SysFreeString, SysStringLen
ADVAPI32.dll	RegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegCloseKey, RegGetValueW
OLE32.dll	CoUninitialize, CoInitializeEx, CoInitialize, PropVariantClear, CoTaskMemAlloc, CoCreateInstance
USER32.dll	LoadStringW
mscoree.dll	CorBindToRuntimeEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: powershell.exePID: 6928, Parent PID: 3464

General

Target ID:	0
Start time:	08:43:59
Start date:	18/07/2022
Path:	C:\Users\user\Desktop\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\powershell.exe"
Imagebase:	0xac0000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6936, Parent PID: 6928

General

Target ID:	1
Start time:	08:43:59
Start date:	18/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: powershell.exePID: 6928, Parent PID: 3464COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.6%
Total number of Nodes:	377
Total number of Limit Nodes:	6

Executed Functions

Function 00ACD283 Relevance: 49.4, APIs: 17, Strings: 11, Instructions: 393
comregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00ACD283(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t100;
				void* _t101;
				void* _t105;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t119;
				void* _t120;
				void* _t126;
				void* _t127;
				void* _t130;
				void* _t131;
				void* _t143;
				void* _t151;
				void* _t154;
				void* _t164;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t175;
				char* _t176;
				char* _t177;
				void* _t190;
				void* _t192;
				intOrPtr* _t202;
				void* _t204;
				void* _t205;
				void* _t211;
				void* _t212;
				void* _t230;
				void* _t240;
				signed int _t256;
				char* _t261;
				void* _t263;
				void* _t264;
				void* _t275;
				void* _t282;

				_t178 = __ecx;
				_push(0x2c);
				E00ACB3EF(E00ACC98F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t275 - 0x38)) = __ecx;
				_t260 =  *(__edx + 0xc);
				_t175 = 0;
				 *(_t275 - 0x24) = 0;
				_t263 = 0;
				if( *(__edx + 0xc) == 0 || ( *(__edx + 0x2c) & 0x00000800) == 0) {
					 *(_t275 - 0x20) = _t175;
					_t100 = E00ACDDCB(_t178);
					_t176 = L"ConsoleHostShortcutTargetX86";
					if(_t100 == 0) {
						_t176 = L"ConsoleHostShortcutTarget";
					}
					_t101 = _t275 - 0x20;
					__imp__RegGetValueW(0x80000002, L"SOFTWARE\\Microsoft\\PowerShell\\3", _t176, 0x10000006, 0, 0, _t101); // executed
					_t282 = _t101;
					if(_t282 != 0) {
						_t175 = 0;
						__eflags = 0;
						goto L20;
					} else {
						_t256 = 2;
						_t164 = E00ACACEC();
						_t228 =  *(_t275 - 0x20) + 2;
						 *(_t275 - 0x24) = _t164;
						memset(_t164, 0,  *(_t275 - 0x20) + 2);
						_t166 = _t275 - 0x20;
						__imp__RegGetValueW(0x80000002, L"SOFTWARE\\Microsoft\\PowerShell\\3", _t176, 0x10000006, 0,  *(_t275 - 0x24), _t166,  ~(0 | _t282 > 0x00000000) | (( *(_t275 - 0x20) >> 0x00000001) + 0x00000001) * _t256); // executed
						if(_t166 != 0) {
							_t167 = E00ACDDCB(_t228);
							__eflags = _t167;
							if(_t167 == 0) {
								_t177 = L"%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk";
								_t168 = E00ACDD49(_t177);
								__eflags = _t168;
								if(_t168 != 0) {
									goto L15;
								} else {
									_t177 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows PowerShell.lnk";
									_t170 = E00ACDD49(_t177);
									__eflags = _t170;
									if(_t170 != 0) {
										goto L15;
									} else {
										_t177 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk";
										goto L14;
									}
								}
							} else {
								_t177 = L"%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell(x86).lnk";
								_t172 = E00ACDD49(_t177);
								__eflags = _t172;
								if(_t172 != 0) {
									L15:
									_t260 = _t177;
									goto L16;
								} else {
									_t177 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows PowerShell (x86).lnk";
									_t173 = E00ACDD49(_t177);
									__eflags = _t173;
									if(_t173 != 0) {
										goto L15;
									} else {
										_t177 = L"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell (x86).lnk";
										L14:
										_t171 = E00ACDD49(_t177);
										__eflags = _t171;
										if(_t171 != 0) {
											goto L15;
										}
									}
								}
							}
						} else {
							_t260 =  *(_t275 - 0x24);
							L16:
							_t263 = 1;
						}
						_t175 = 0;
						_t230 = 0x6d;
						 *(_t275 - 0x18) = 0;
						_t108 = E00ACE3BE(_t230, _t275 - 0x18); // executed
						if(_t108 >= 0) {
							SetConsoleTitleW( *(_t275 - 0x18));
							free( *(_t275 - 0x18));
							L20:
							E00ACE475(_t260, 0x7ffffffe, _t275 - 0x18);
							E00ACE440(0xad1708,  *(_t275 - 0x18) + 1, _t260);
							if(_t263 == 0) {
								goto L21;
							}
							goto L22;
						}
					}
				} else {
					L21:
					E00ACE475(_t260, 0x7ffffffe, _t275 - 0x18);
					E00ACE440(0xad1708,  *(_t275 - 0x18) + 1, _t260);
					L22:
					 *(_t275 - 0x30) = _t175;
					 *(_t275 - 4) = _t175;
					 *(_t275 - 0x28) = _t175;
					_t105 = _t275 - 0x28;
					 *(_t275 - 4) = 1;
					__imp__CoCreateInstance(0xac3da8, _t175, 1, 0xac4668, _t105);
					_t264 = _t105;
					if(_t264 >= 0) {
						_t110 =  *(_t275 - 0x28);
						 *0xad2204(_t110, 0xac3dd8, _t275 - 0x30);
						_t264 =  *( *_t110)();
						if(_t264 >= 0) {
							_t113 =  *(_t275 - 0x30);
							_t240 = 2;
							 *0xad2204(_t113, 0xad1708, _t240);
							_t115 =  *((intOrPtr*)( *((intOrPtr*)( *_t113 + 0x14))))();
							 *(_t275 - 0x34) = _t175;
							if(_t115 < 0) {
								E00ACE475(L"%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", 0x7ffffffe, _t275 - 0x18);
								E00ACE440(0xad1708,  *(_t275 - 0x18) + 1, L"%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe");
								goto L28;
							} else {
								_t154 =  *(_t275 - 0x28);
								 *0xad2204(_t154, 0xad1708, 0x104, _t275 - 0x34);
								_t264 =  *((intOrPtr*)( *_t154 + 0x40))();
								if(_t264 >= 0) {
									L28:
									 *(_t275 - 0x1c) = _t175;
									_t119 = 2;
									 *(_t275 - 4) = _t119;
									_t120 = _t275 - 0x1c;
									__imp__CoCreateInstance(0xac3dc8, _t175, 3, 0xac4648, _t120);
									_t264 = _t120;
									__eflags = _t264;
									if(_t264 >= 0) {
										 *(_t275 - 0x14) = _t175;
										 *(_t275 - 4) = 3;
										_t190 = 0x76;
										 *(_t275 - 0x10) = _t175;
										 *(_t275 - 0x18) = _t175;
										_t264 = E00ACE3BE(_t190, _t275 - 0x10);
										__eflags = _t264;
										if(_t264 >= 0) {
											_t192 = 0x77;
											E00ACE3BE(_t192, _t275 - 0x18);
											_t126 = E00ACD8B0(_t175,  *(_t275 - 0x10), _t260, _t260, _t264, __eflags);
											_t264 = _t126;
											__imp__??_V@YAXPAX@Z( *(_t275 - 0x24), _t192, _t192, 0xad1708,  *(_t275 - 0x34), 1, _t192, _t275 - 0x14);
											free( *(_t275 - 0x10));
											free( *(_t275 - 0x18));
											__eflags = _t264;
											if(_t264 >= 0) {
												_t127 =  *(_t275 - 0x1c);
												 *0xad2204(_t127,  *(_t275 - 0x14));
												_t264 =  *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x14))))();
												__eflags = _t264;
												if(_t264 >= 0) {
													_t130 = E00ACD76F();
													__eflags = _t130;
													if(_t130 == 0) {
														L39:
														 *(_t275 - 0x2c) = _t175;
														 *(_t275 - 4) = 4;
														_t131 =  *(_t275 - 0x1c);
														 *0xad2204(_t131, 0xac46a8, _t275 - 0x2c);
														_t264 =  *( *_t131)();
														__eflags = _t264;
														if(_t264 >= 0) {
															_t202 =  *((intOrPtr*)(_t275 - 0x38));
															 *0xad2204(_t202,  *(_t275 - 0x2c));
															_t264 =  *((intOrPtr*)( *((intOrPtr*)( *_t202 + 0x1c))))();
														}
														E00ACAA7D(_t275 - 0x2c);
													} else {
														_t204 = 0x7a;
														_t264 = E00ACE3BE(_t204, _t275 - 0x10);
														__eflags = _t264;
														if(_t264 >= 0) {
															_t205 = 0x7b;
															E00ACE3BE(_t205, _t275 - 0x18);
															__imp__#30(_t275 - 0x14, _t175);
															_t261 = L"%systemroot%\\system32\\windowspowershell\\v1.0\\powershell_ise.exe";
															_push(_t275 - 0x14);
															_push(_t205);
															_push(1);
															_push(_t175);
															_push(_t261);
															_push(_t205);
															_push(_t205);
															_t264 = E00ACD8B0(_t175,  *(_t275 - 0x10), _t261, _t261, _t264, __eflags);
															free( *(_t275 - 0x10));
															free( *(_t275 - 0x18));
															__eflags = _t264;
															if(_t264 >= 0) {
																_t143 =  *(_t275 - 0x1c);
																 *0xad2204(_t143,  *(_t275 - 0x14));
																_t264 =  *((intOrPtr*)( *((intOrPtr*)( *_t143 + 0x14))))();
																__eflags = _t264;
																if(_t264 >= 0) {
																	_t211 = 0x65;
																	_t264 = E00ACE3BE(_t211, _t275 - 0x10);
																	__eflags = _t264;
																	if(_t264 >= 0) {
																		_t212 = 0x6f;
																		E00ACE3BE(_t212, _t275 - 0x18);
																		__imp__#30(_t275 - 0x14, _t175);
																		_push(_t275 - 0x14);
																		_push(_t212);
																		_push(_t175);
																		_push(_t175);
																		_push(_t261);
																		_push(_t212);
																		_push(_t212);
																		_t264 = E00ACD8B0(_t175,  *(_t275 - 0x10), _t261, _t261, _t264, __eflags);
																		free( *(_t275 - 0x10));
																		free( *(_t275 - 0x18));
																		__eflags = _t264;
																		if(_t264 >= 0) {
																			_t151 =  *(_t275 - 0x1c);
																			 *0xad2204(_t151,  *(_t275 - 0x14));
																			_t264 =  *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x14))))();
																			__eflags = _t264;
																			if(_t264 >= 0) {
																				goto L39;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
										E00ACAA7D(_t275 - 0x14);
									}
									E00ACAA7D(_t275 - 0x1c);
								} else {
								}
							}
						}
					}
					E00ACAA7D(_t275 - 0x28);
					E00ACAA7D(_t275 - 0x30);
					_t108 = _t264;
				}
				return E00ACB3CC(_t108);
			}

0x00acd283
0x00acd283
0x00acd28a
0x00acd28f
0x00acd292
0x00acd295
0x00acd297
0x00acd29a
0x00acd29e
0x00acd2ad
0x00acd2b0
0x00acd2b5
0x00acd2bc
0x00acd2be
0x00acd2be
0x00acd2c3
0x00acd2db
0x00acd2e1
0x00acd2e3
0x00acd3d3
0x00acd3d3
0x00000000
0x00acd2e9
0x00acd2f3
0x00acd2fe
0x00acd307
0x00acd30a
0x00acd311
0x00acd319
0x00acd332
0x00acd33a
0x00acd341
0x00acd346
0x00acd348
0x00acd371
0x00acd378
0x00acd37d
0x00acd37f
0x00000000
0x00acd381
0x00acd381
0x00acd388
0x00acd38d
0x00acd38f
0x00000000
0x00acd391
0x00acd391
0x00000000
0x00acd391
0x00acd38f
0x00acd34a
0x00acd34a
0x00acd351
0x00acd356
0x00acd358
0x00acd3a1
0x00acd3a1
0x00000000
0x00acd35a
0x00acd35a
0x00acd361
0x00acd366
0x00acd368
0x00000000
0x00acd36a
0x00acd36a
0x00acd396
0x00acd398
0x00acd39d
0x00acd39f
0x00000000
0x00000000
0x00acd39f
0x00acd368
0x00acd358
0x00acd33c
0x00acd33c
0x00acd3a3
0x00acd3a5
0x00acd3a5
0x00acd3a8
0x00acd3ad
0x00acd3ae
0x00acd3b1
0x00acd3b8
0x00acd3c1
0x00acd3ca
0x00acd3d5
0x00acd3e0
0x00acd3f1
0x00acd3f8
0x00000000
0x00000000
0x00000000
0x00acd3f8
0x00acd3b8
0x00acd3fa
0x00acd3fa
0x00acd405
0x00acd416
0x00acd41b
0x00acd41b
0x00acd41e
0x00acd421
0x00acd424
0x00acd427
0x00acd439
0x00acd43f
0x00acd443
0x00acd449
0x00acd45a
0x00acd462
0x00acd466
0x00acd46c
0x00acd471
0x00acd480
0x00acd486
0x00acd488
0x00acd48d
0x00acd4ca
0x00acd4db
0x00000000
0x00acd48f
0x00acd48f
0x00acd4a6
0x00acd4af
0x00acd4b3
0x00acd4e0
0x00acd4e0
0x00acd4e5
0x00acd4e6
0x00acd4e9
0x00acd4fa
0x00acd500
0x00acd502
0x00acd504
0x00acd50a
0x00acd50f
0x00acd516
0x00acd517
0x00acd51a
0x00acd522
0x00acd524
0x00acd526
0x00acd531
0x00acd532
0x00acd54d
0x00acd555
0x00acd557
0x00acd561
0x00acd56b
0x00acd572
0x00acd574
0x00acd57a
0x00acd588
0x00acd590
0x00acd592
0x00acd594
0x00acd59a
0x00acd59f
0x00acd5a1
0x00acd69f
0x00acd69f
0x00acd6a2
0x00acd6a9
0x00acd6b7
0x00acd6bf
0x00acd6c1
0x00acd6c3
0x00acd6c5
0x00acd6d3
0x00acd6db
0x00acd6db
0x00acd6e0
0x00acd5a7
0x00acd5ac
0x00acd5b2
0x00acd5b4
0x00acd5b6
0x00acd5c1
0x00acd5c2
0x00acd5cc
0x00acd5d5
0x00acd5da
0x00acd5db
0x00acd5dc
0x00acd5de
0x00acd5df
0x00acd5e0
0x00acd5e1
0x00acd5ef
0x00acd5f1
0x00acd5fb
0x00acd602
0x00acd604
0x00acd60a
0x00acd618
0x00acd620
0x00acd622
0x00acd624
0x00acd62f
0x00acd635
0x00acd637
0x00acd639
0x00acd644
0x00acd645
0x00acd64f
0x00acd65a
0x00acd65b
0x00acd65c
0x00acd65d
0x00acd65e
0x00acd65f
0x00acd660
0x00acd66c
0x00acd66e
0x00acd678
0x00acd67f
0x00acd681
0x00acd683
0x00acd691
0x00acd699
0x00acd69b
0x00acd69d
0x00000000
0x00000000
0x00acd69d
0x00acd681
0x00acd639
0x00acd624
0x00acd604
0x00acd5b6
0x00acd5a1
0x00acd594
0x00acd574
0x00acd6e8
0x00acd6e8
0x00acd6f0
0x00000000
0x00acd4b5
0x00acd4b3
0x00acd48d
0x00acd466
0x00acd6f8
0x00acd700
0x00acd705
0x00acd705
0x00acd70c

APIs

__EH_prolog3.LIBCMT ref: 00ACD28A
RegGetValueW.KERNELBASE(80000002,SOFTWARE\Microsoft\PowerShell\3,ConsoleHostShortcutTargetX86,10000006,00000000,00000000,?,0000002C,00ACD87D), ref: 00ACD2DB
memset.MSVCRT ref: 00ACD311
RegGetValueW.KERNELBASE(80000002,SOFTWARE\Microsoft\PowerShell\3,ConsoleHostShortcutTargetX86,10000006,00000000,?,?,00000000,?,?), ref: 00ACD332
SetConsoleTitleW.KERNEL32(00000004), ref: 00ACD3C1
free.MSVCRT(00000004), ref: 00ACD3CA
CoCreateInstance.OLE32(00AC3DA8,00000000,00000001,00AC4668,?,?,00000004), ref: 00ACD439

Part of subcall function 00ACDDCB: GetCurrentProcess.KERNEL32(?,?,00ACD2B5,0000002C,00ACD87D), ref: 00ACDDD1
Part of subcall function 00ACDDCB: IsWow64Process.KERNEL32(00000000,00000000,?,?,00ACD2B5,0000002C,00ACD87D), ref: 00ACDDE5

CoCreateInstance.OLE32(00AC3DC8,00000000,00000003,00AC4648,?,%windir%\System32\WindowsPowerShell\v1.0\powershell.exe,00000004), ref: 00ACD4FA
??_V@YAXPAX@Z.MSVCRT ref: 00ACD557
free.MSVCRT(?,?,00AD1708,?,00000001,?,?), ref: 00ACD561
free.MSVCRT(00000004,00AD1708,?,00000001,?,?), ref: 00ACD56B

Part of subcall function 00ACDD49: GetFileAttributesW.KERNEL32(%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk,00ACD37D), ref: 00ACDD4C

#30.ATL(?,00000000), ref: 00ACD5CC
free.MSVCRT(?,?,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000001,?,?), ref: 00ACD5F1
free.MSVCRT(00000004,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000001,?,?), ref: 00ACD5FB
#30.ATL(?,00000000,?,?), ref: 00ACD64F
free.MSVCRT(?,?,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000000,?,?,?,?), ref: 00ACD66E
free.MSVCRT(00000004,?,%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000000,?,?,?,?), ref: 00ACD678

Strings

ConsoleHostShortcutTargetX86, xrefs: 00ACD2B5
%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell(x86).lnk, xrefs: 00ACD34A
%ProgramData%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk, xrefs: 00ACD381
SOFTWARE\Microsoft\PowerShell\3, xrefs: 00ACD2D1, 00ACD328
ConsoleHostShortcutTarget, xrefs: 00ACD2BE, 00ACD2D0, 00ACD327
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk, xrefs: 00ACD36A
%windir%\System32\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00ACD4BD, 00ACD4D7
%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe, xrefs: 00ACD5D5, 00ACD5DF, 00ACD65E
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk, xrefs: 00ACD35A
%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk, xrefs: 00ACD371, 00ACD3ED, 00ACD412
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk, xrefs: 00ACD391

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: free$CreateInstanceProcessValue$AttributesConsoleCurrentFileH_prolog3TitleWow64memset
String ID: %AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell(x86).lnk$%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk$%ProgramData%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk$%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe$%windir%\System32\WindowsPowerShell\v1.0\powershell.exe$ConsoleHostShortcutTarget$ConsoleHostShortcutTargetX86$SOFTWARE\Microsoft\PowerShell\3
API String ID: 1682600771-3771833276
Opcode ID: d444223fcb5387a162f045f839147b7e042899a200d748b7bb7c6368c4d31bef
Instruction ID: 9d1d5b077118d52df10bb70c295c5b82aaa90afb0516aa3a94cce992b6bb7bd2
Opcode Fuzzy Hash: d444223fcb5387a162f045f839147b7e042899a200d748b7bb7c6368c4d31bef
Instruction Fuzzy Hash: 53D17171E01219ABDB15DBA4DD45FEEBBB5AF48710F12452DF902BB290DB70AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC96A0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 395
registryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00AC96A0(void** _a4, short** _a8, void** _a12, long* _a16) {
				wchar_t* _v8;
				int _v12;
				long _v16;
				int _v20;
				void* _v24;
				void* _v28;
				int _v32;
				void* _v36;
				long _v40;
				wchar_t* _v44;
				struct _FILETIME _v52;
				intOrPtr* _t74;
				long _t76;
				void* _t78;
				void* _t79;
				void* _t85;
				intOrPtr* _t86;
				void* _t93;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t100;
				intOrPtr* _t101;
				void* _t106;
				intOrPtr* _t111;
				long _t112;
				void* _t113;
				void* _t116;
				signed int _t119;
				intOrPtr* _t130;
				wchar_t* _t136;
				void* _t137;
				short** _t138;
				void* _t139;
				intOrPtr* _t140;
				long _t141;
				void* _t142;
				wchar_t* _t149;
				void* _t150;
				void* _t155;
				signed int _t156;
				void* _t166;
				intOrPtr _t167;
				long _t168;
				intOrPtr* _t169;
				short* _t170;
				void* _t171;
				void* _t173;
				intOrPtr* _t174;
				void** _t177;
				void* _t178;
				intOrPtr* _t180;
				void* _t181;
				void* _t183;
				void* _t185;
				intOrPtr* _t188;
				void* _t189;
				void* _t190;

				_v24 = 0;
				if(_a4 == 0 || _a8 == 0) {
					L8:
					return 0;
				} else {
					_t74 = _a12;
					if(_t74 == 0) {
						goto L8;
					} else {
						_t140 = _a16;
						if(_t140 == 0) {
							goto L8;
						} else {
							 *_t140 = 0xffffffff;
							_t167 =  *_t74;
							_t76 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\PowerShell", 0, 0x20019,  &_v24); // executed
							_t141 = _t76;
							if(_t141 == 0) {
								_push(0x200);
								_t136 = E00ACACEC();
								_t190 = _t189 + 4;
								_v8 = _t136;
								__eflags = _t136;
								if(_t136 == 0) {
									L72:
									_t137 = 0;
									__eflags = 0;
								} else {
									_v20 = 0x100;
									_v36 = 0;
									_t168 = 0;
									_v12 = 0;
									_t85 = RegEnumKeyExW(_v24, 0, _t136,  &_v20, 0, 0, 0,  &_v52); // executed
									_t142 = _t85;
									_v32 = 1;
									__eflags = _t142 - 0x103;
									if(_t142 == 0x103) {
										L71:
										_t86 =  *0xad16fc; // 0x3463d68
										 *0xad2204(_t86, 0, 0x1d);
										 *((intOrPtr*)( *((intOrPtr*)( *_t86 + 4))))();
										_t190 = _t190 + 0xc;
										goto L72;
									} else {
										while(1) {
											__eflags = _t142;
											if(_t142 != 0) {
												break;
											}
											_v16 = 0;
											_v40 = 0;
											_t93 = E00ACA390(_t136);
											__eflags = _t93;
											if(_t93 != 0) {
												L60:
												_v20 = 0x100;
												_t96 = RegEnumKeyExW(_v24, _v32, _t136,  &_v20, 0, 0, 0,  &_v52); // executed
												_v32 = _v32 + 1;
												_t142 = _t96;
												__eflags = _t142 - 0x103;
												if(_t142 != 0x103) {
													continue;
												} else {
													_t97 = _v36;
													__eflags = _t97;
													if(_t97 == 0) {
														goto L71;
													} else {
														_t177 = _a12;
														_t138 = _a8;
														 *_t177 = _t97;
														 *_a16 = _t168;
														_t99 = E00ACA3B0(0xad16f8, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!\\PowerShellEngine", _t138,  &_v44, 0x17, _t97);
														_t190 = _t190 + 0x18;
														__eflags = _t99;
														if(_t99 == 0) {
															goto L72;
														} else {
															_t170 =  *_t138;
															_t137 = 1;
															_t178 =  *_t177;
															_v44 = _t178;
															_v36 = _t170;
															_t100 = RegOpenKeyExW(0x80000002, _t170, 0, 0x20019, _a4); // executed
															_t142 = _t100;
															__eflags = _t142;
															if(_t142 != 0) {
																__eflags = _t142 - 2;
																if(_t142 != 2) {
																	_push(_v36);
																	_push(0x14);
																	L69:
																	_t169 =  *0xad16fc; // 0x3463d68
																	 *0xad2204(_t142);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t169 + 8))))();
																} else {
																	_t101 =  *0xad16fc; // 0x3463d68
																	__eflags = _t178;
																	_t180 =  *((intOrPtr*)( *_t101 + 4));
																	if(_t178 != 0) {
																		 *0xad2204(_t101, 0, 0x27, _t170, _v44);
																		 *_t180();
																		_t190 = _t190 + 0x14;
																	} else {
																		 *0xad2204(_t101, 0, 0x1e, _t170);
																		 *_t180();
																		_t190 = _t190 + 0x10;
																	}
																}
																goto L72;
															}
														}
													}
												}
											} else {
												_v28 = 0;
												_t106 = E00ACA390(_t136);
												__eflags = _t106;
												if(_t106 != 0) {
													goto L60;
												} else {
													_t171 = wcschr(_t136, 0x2e);
													_t181 = wcschr(_t136, 0);
													_t190 = _t190 + 0x10;
													__eflags = _t181;
													if(_t181 == 0) {
														L59:
														_t168 = _v12;
														goto L60;
													} else {
														__eflags = _t171;
														if(_t171 == 0) {
															_t149 = _t136;
															_t139 = 1;
															__eflags =  *_t181 - 0x30 - 9;
															if( *_t181 - 0x30 > 9) {
																_t111 = _v8;
																__eflags = 0 -  *_t111;
																if(0 ==  *_t111) {
																	L32:
																	_t112 = _v16;
																	_t139 = 0;
																	__eflags = 0;
																	goto L33;
																} else {
																	__eflags = _t111 - _t181;
																	if(_t111 >= _t181) {
																		goto L32;
																	} else {
																		while(1) {
																			__eflags =  *_t149 - 0x30;
																			if( *_t149 != 0x30) {
																				break;
																			}
																			_t149 =  &(_t149[0]);
																			__eflags = _t149 - _t181;
																			if(_t149 < _t181) {
																				continue;
																			}
																			break;
																		}
																		__eflags = (_t181 - _t149 & 0xfffffffe) - 0x14;
																		if((_t181 - _t149 & 0xfffffffe) <= 0x14) {
																			_v44 = 0;
																			_t112 = wcstoul(_t149,  &_v44, 0xa);
																			_t190 = _t190 + 0xc;
																			__eflags = _t181 - _v44;
																			if(_t181 != _v44) {
																				L31:
																				_t112 = _v16;
																				_t139 = 0;
																				_t150 = _v28;
																				goto L35;
																			} else {
																				__eflags = _t112 - 0x7fffffff;
																				if(_t112 <= 0x7fffffff) {
																					L33:
																					__eflags = _t139;
																					if(_t139 == 0) {
																						goto L58;
																					} else {
																						_t150 = 0;
																						__eflags = 0;
																						goto L35;
																					}
																				} else {
																					goto L31;
																				}
																			}
																		} else {
																			_t112 = _v16;
																			_t139 = 0;
																			_t150 = 0;
																			goto L35;
																		}
																	}
																}
															} else {
																_t112 = _v16;
																_t139 = 0;
																_t150 = _v28;
																goto L35;
															}
														} else {
															_t139 = E00ACF739(_t142, _t136, _t171,  &_v40);
															__eflags = _t139;
															if(_t139 == 0) {
																L58:
																_t136 = _v8;
																goto L59;
															} else {
																_t112 = _v40;
																_t22 = _t171 + 2; // 0x2
																_t150 = _t22;
																L35:
																_t168 = _v12;
																__eflags = _t139;
																if(_t139 == 0) {
																	L57:
																	_t136 = _v8;
																	goto L60;
																} else {
																	__eflags = _t150;
																	if(_t150 != 0) {
																		goto L57;
																	} else {
																		__eflags = _t112 - _t168;
																		if(_t112 <= _t168) {
																			goto L57;
																		} else {
																			_t168 = _t112;
																			_t113 = _v36;
																			_t183 = _v20 + 1;
																			_v12 = _t168;
																			__eflags = _t113;
																			if(__eflags != 0) {
																				__imp__??_V@YAXPAX@Z(_t113);
																				_t190 = _t190 + 4;
																			}
																			_push( ~(0 | __eflags > 0x00000000) | _t183 * 0x00000002);
																			_t116 = E00ACACEC();
																			_t190 = _t190 + 4;
																			_v36 = _t116;
																			__eflags = _t116;
																			if(_t116 == 0) {
																				goto L72;
																			} else {
																				_t155 = 0;
																				__eflags = _t183;
																				if(_t183 == 0) {
																					L43:
																					_t155 = 0x80070057;
																				} else {
																					__eflags = _t183 - 0x7fffffff;
																					if(_t183 > 0x7fffffff) {
																						goto L43;
																					}
																				}
																				__eflags = _t155;
																				if(_t155 < 0) {
																					__eflags = _t183;
																					if(_t183 != 0) {
																						__eflags = 0;
																						 *_t116 = 0;
																					}
																				} else {
																					_t156 = _t183;
																					_t166 = _t116;
																					__eflags = _t183;
																					if(_t183 == 0) {
																						L52:
																						_t166 = _t166 - 2;
																						__eflags = _t166;
																					} else {
																						_t173 = 0x7ffffffe - _t183;
																						_t185 = _v8 - _t116;
																						__eflags = _t185;
																						while(1) {
																							__eflags = _t173 + _t156;
																							if(_t173 + _t156 == 0) {
																								break;
																							}
																							_t119 =  *(_t185 + _t166) & 0x0000ffff;
																							__eflags = _t119;
																							if(_t119 == 0) {
																								break;
																							} else {
																								 *_t166 = _t119;
																								_t166 = _t166 + 2;
																								_t156 = _t156 - 1;
																								__eflags = _t156;
																								if(_t156 != 0) {
																									continue;
																								} else {
																									goto L52;
																								}
																							}
																							goto L53;
																						}
																						__eflags = _t156;
																						if(_t156 == 0) {
																							goto L52;
																						}
																					}
																					L53:
																					_t168 = _v12;
																					 *_t166 = 0;
																					asm("sbb ecx, ecx");
																					_t155 = ( ~_t156 & 0x7ff8ff86) + 0x8007007a;
																				}
																				__eflags = _t155;
																				if(_t155 < 0) {
																					goto L72;
																				} else {
																					goto L57;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
											goto L73;
										}
										_push(L"SOFTWARE\\Microsoft\\PowerShell");
										_push(0x13);
										goto L69;
									}
								}
								L73:
								_t78 = _v24;
								__eflags = _t78;
								if(_t78 != 0) {
									RegCloseKey(_t78); // executed
								}
								_t79 = _v8;
								__eflags = _t79;
								if(_t79 != 0) {
									__imp__??_V@YAXPAX@Z(_t79);
								}
								return _t137;
							} else {
								if(_t141 != 2) {
									_t174 =  *0xad16fc; // 0x3463d68
									 *0xad2204(_t141, 0x14, L"SOFTWARE\\Microsoft\\PowerShell");
									 *((intOrPtr*)( *((intOrPtr*)( *_t174 + 8))))();
									__eflags = 0;
									return 0;
								} else {
									_t130 =  *0xad16fc; // 0x3463d68
									_t188 =  *((intOrPtr*)( *_t130 + 4));
									if(_t167 != 0) {
										 *0xad2204(_t130, 0, 0x27, L"SOFTWARE\\Microsoft\\PowerShell", _t167);
										 *_t188();
										__eflags = 0;
										return 0;
									} else {
										 *0xad2204(_t130, _t167, 0x1e, L"SOFTWARE\\Microsoft\\PowerShell");
										 *_t188();
										goto L8;
									}
								}
							}
						}
					}
				}
			}

0x00ac96af
0x00ac96b6
0x00ac971e
0x00ac9726
0x00ac96be
0x00ac96be
0x00ac96c3
0x00000000
0x00ac96c5
0x00ac96c5
0x00ac96ca
0x00000000
0x00ac96cc
0x00ac96cc
0x00ac96d2
0x00ac96e9
0x00ac96ef
0x00ac96f3
0x00ac9774
0x00ac977e
0x00ac9780
0x00ac9783
0x00ac9786
0x00ac9788
0x00ac9ac6
0x00ac9ac6
0x00ac9ac6
0x00ac978e
0x00ac9790
0x00ac9797
0x00ac979a
0x00ac979f
0x00ac97af
0x00ac97b5
0x00ac97b7
0x00ac97be
0x00ac97c4
0x00ac9aaa
0x00ac9aaa
0x00ac9abb
0x00ac9ac1
0x00ac9ac3
0x00000000
0x00ac97d0
0x00ac97d0
0x00ac97d0
0x00ac97d2
0x00000000
0x00000000
0x00ac97db
0x00ac97de
0x00ac97e1
0x00ac97e6
0x00ac97e8
0x00ac99ab
0x00ac99ae
0x00ac99c7
0x00ac99cd
0x00ac99d0
0x00ac99d2
0x00ac99d8
0x00000000
0x00ac99de
0x00ac99de
0x00ac99e1
0x00ac99e3
0x00000000
0x00ac99e9
0x00ac99e9
0x00ac99ef
0x00ac99f3
0x00ac9a06
0x00ac9a08
0x00ac9a0d
0x00ac9a10
0x00ac9a12
0x00000000
0x00ac9a18
0x00ac9a1b
0x00ac9a1d
0x00ac9a1f
0x00ac9a2e
0x00ac9a31
0x00ac9a34
0x00ac9a3a
0x00ac9a3c
0x00ac9a3e
0x00ac9a44
0x00ac9a47
0x00ac9a82
0x00ac9a85
0x00ac9a87
0x00ac9a87
0x00ac9a95
0x00ac9a9d
0x00ac9a49
0x00ac9a49
0x00ac9a4e
0x00ac9a52
0x00ac9a57
0x00ac9a75
0x00ac9a7b
0x00ac9a7d
0x00ac9a59
0x00ac9a5f
0x00ac9a65
0x00ac9a67
0x00ac9a67
0x00ac9a57
0x00000000
0x00ac9a47
0x00ac9a3e
0x00ac9a12
0x00ac99e3
0x00ac97ee
0x00ac97ef
0x00ac97f6
0x00ac97fb
0x00ac97fd
0x00000000
0x00ac9803
0x00ac980f
0x00ac9817
0x00ac9819
0x00ac981c
0x00ac981e
0x00ac99a8
0x00ac99a8
0x00000000
0x00ac9824
0x00ac9824
0x00ac9826
0x00ac984b
0x00ac9851
0x00ac9853
0x00ac9857
0x00ac9863
0x00ac9868
0x00ac986b
0x00ac98bc
0x00ac98bc
0x00ac98bf
0x00ac98bf
0x00000000
0x00ac986d
0x00ac986d
0x00ac986f
0x00000000
0x00ac9871
0x00ac9871
0x00ac9871
0x00ac9875
0x00000000
0x00000000
0x00ac9877
0x00ac987a
0x00ac987c
0x00000000
0x00000000
0x00000000
0x00ac987c
0x00ac9885
0x00ac9888
0x00ac9898
0x00ac989d
0x00ac98a3
0x00ac98a6
0x00ac98a9
0x00ac98b2
0x00ac98b2
0x00ac98b5
0x00ac98b7
0x00000000
0x00ac98ab
0x00ac98ab
0x00ac98b0
0x00ac98c1
0x00ac98c1
0x00ac98c3
0x00000000
0x00ac98c9
0x00ac98c9
0x00ac98c9
0x00000000
0x00ac98c9
0x00000000
0x00000000
0x00000000
0x00ac98b0
0x00ac988a
0x00ac988a
0x00ac988d
0x00ac988f
0x00000000
0x00ac988f
0x00ac9888
0x00ac986f
0x00ac9859
0x00ac9859
0x00ac985c
0x00ac985e
0x00000000
0x00ac985e
0x00ac9828
0x00ac9833
0x00ac9835
0x00ac9837
0x00ac99a5
0x00ac99a5
0x00000000
0x00ac983d
0x00ac983d
0x00ac9840
0x00ac9840
0x00ac98cb
0x00ac98cb
0x00ac98ce
0x00ac98d0
0x00ac99a0
0x00ac99a0
0x00000000
0x00ac98d6
0x00ac98d6
0x00ac98d8
0x00000000
0x00ac98de
0x00ac98de
0x00ac98e0
0x00000000
0x00ac98e6
0x00ac98e9
0x00ac98eb
0x00ac98ee
0x00ac98ef
0x00ac98f2
0x00ac98f4
0x00ac98f7
0x00ac98fd
0x00ac98fd
0x00ac9912
0x00ac9913
0x00ac9918
0x00ac991b
0x00ac991e
0x00ac9920
0x00000000
0x00ac9926
0x00ac9926
0x00ac9928
0x00ac992a
0x00ac9934
0x00ac9934
0x00ac992c
0x00ac992c
0x00ac9932
0x00000000
0x00000000
0x00ac9932
0x00ac9939
0x00ac993b
0x00ac998f
0x00ac9991
0x00ac9993
0x00ac9995
0x00ac9995
0x00ac993d
0x00ac993d
0x00ac993f
0x00ac9941
0x00ac9943
0x00ac9972
0x00ac9972
0x00ac9972
0x00ac9945
0x00ac994a
0x00ac994f
0x00ac994f
0x00ac9951
0x00ac9954
0x00ac9956
0x00000000
0x00000000
0x00ac9958
0x00ac995c
0x00ac995f
0x00000000
0x00ac9961
0x00ac9961
0x00ac9964
0x00ac9967
0x00ac9967
0x00ac996a
0x00000000
0x00ac996c
0x00000000
0x00ac996c
0x00ac996a
0x00000000
0x00ac995f
0x00ac996e
0x00ac9970
0x00000000
0x00000000
0x00ac9970
0x00ac9975
0x00ac9975
0x00ac997c
0x00ac997f
0x00ac9987
0x00ac9987
0x00ac9998
0x00ac999a
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac999a
0x00ac9920
0x00ac98e0
0x00ac98d8
0x00ac98d0
0x00ac9837
0x00ac9826
0x00ac981e
0x00ac97fd
0x00000000
0x00ac97e8
0x00ac9aa1
0x00ac9aa6
0x00000000
0x00ac9aa6
0x00ac97c4
0x00ac9ac8
0x00ac9ac8
0x00ac9acb
0x00ac9acd
0x00ac9ad0
0x00ac9ad0
0x00ac9ad6
0x00ac9ad9
0x00ac9adb
0x00ac9ade
0x00ac9ae4
0x00ac9aef
0x00ac96f5
0x00ac96f8
0x00ac974a
0x00ac975f
0x00ac9767
0x00ac9769
0x00ac9771
0x00ac96fa
0x00ac96fa
0x00ac9701
0x00ac9708
0x00ac9734
0x00ac973a
0x00ac973f
0x00ac9747
0x00ac970a
0x00ac9713
0x00ac9719
0x00000000
0x00ac971b
0x00ac9708
0x00ac96f8
0x00ac96f3
0x00ac96ca
0x00ac96c3

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\PowerShell,00000000,00020019,00000000,00002014,00000001,00000000,?,?,?,?,?,00AC9B7D,00000000,?), ref: 00AC96E9
RegEnumKeyExW.KERNELBASE(00000000,00000000,00000000,00000100,00000000,00000000,00000000,?,?,?,?,?,?,?,00AC9B7D,00000000), ref: 00AC97AF
wcschr.MSVCRT ref: 00AC9806
wcschr.MSVCRT ref: 00AC9811
wcstoul.MSVCRT ref: 00AC989D
??_V@YAXPAX@Z.MSVCRT ref: 00AC98F7
RegEnumKeyExW.KERNELBASE(00000000,00000001,00000000,00000100,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,00AC9B7D), ref: 00AC99C7
RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020019,00000000), ref: 00AC9A34
RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,00AC9B7D,00000000,?), ref: 00AC9AD0
??_V@YAXPAX@Z.MSVCRT ref: 00AC9ADE

Strings

SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine, xrefs: 00AC99FC
SOFTWARE\Microsoft\PowerShell, xrefs: 00AC96DF, 00AC970A, 00AC972A, 00AC9750, 00AC9AA1

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: EnumOpenwcschr$Closewcstoul
String ID: SOFTWARE\Microsoft\PowerShell$SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine
API String ID: 270932406-1295826426
Opcode ID: 587e3da2cbe47aa2ae60fbb2035a9f06d2afcb676da74714b24ce8dc39c6d7c7
Instruction ID: c0b21e1e60197d4e1f6fce692bed3a4699a1f29420b0b0a6222e92d7474e13c1
Opcode Fuzzy Hash: 587e3da2cbe47aa2ae60fbb2035a9f06d2afcb676da74714b24ce8dc39c6d7c7
Instruction Fuzzy Hash: E6D1AE75A41215ABDF24CBA4CC59FEF77B8EF49710F1A001EE912AB290DB319D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA0E0 Relevance: 15.3, APIs: 10, Instructions: 256
registrywindowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00ACA0E0(void* _a4, short* _a8, intOrPtr _a12, char** _a16) {
				short _v8;
				int _v12;
				int _v16;
				char* _v20;
				long _t67;
				long _t75;
				intOrPtr* _t77;
				intOrPtr* _t85;
				long _t88;
				intOrPtr* _t89;
				intOrPtr* _t99;
				char* _t103;
				void* _t136;
				char* _t145;
				short* _t146;
				long _t147;
				void* _t149;
				unsigned int _t150;
				signed int _t151;
				long _t154;
				long _t159;
				void* _t162;
				void* _t163;
				void* _t167;
				long _t172;

				_t136 = _a4;
				_v16 = 0;
				_v12 = 0;
				_t103 = 1;
				if(_t136 == 0 || E00ACA390(_a12) != 0 || _a16 == 0) {
					L12:
					_t103 = 0;
					_t145 = 0;
					goto L13;
				} else {
					_t146 = _a8;
					_t67 = RegQueryValueExW(_t136, _t146, 0,  &_v16, 0,  &_v12); // executed
					if(_t67 == 0) {
						__eflags = _v16 - 1;
						if(_v16 == 1) {
							_t150 = _v12;
							__eflags = _t150;
							if(__eflags != 0) {
								_t151 = _t150 >> 1;
								_t30 = _t151 + 1; // 0x1
								_push( ~(0 | __eflags > 0x00000000) | _t30 * 0x00000002);
								_t145 = E00ACACEC();
								_t163 = _t162 + 4;
								_v20 = _t145;
								__eflags = _t145;
								if(_t145 == 0) {
									L31:
									__eflags = 0;
									 *_a16 = _t145;
									return 0;
								} else {
									 *((short*)(_t145 + _t151 * 2)) = 0;
									_t75 = RegQueryValueExW(_a4, _a8, 0, 0, _t145,  &_v12); // executed
									__eflags = _t75;
									if(_t75 == 0) {
										__eflags = 0 -  *_t145;
										if(0 !=  *_t145) {
											L13:
											 *_a16 = _t145;
											return _t103;
										} else {
											_t77 =  *0xad16fc; // 0x3463d68
											 *0xad2204(_t77, 0, 0xe, _a12, _a8);
											 *((intOrPtr*)( *((intOrPtr*)( *_t77 + 4))))();
											goto L31;
										}
									} else {
										_v8 = 0;
										_t154 = FormatMessageW(0x1100, 0, _t75, 0,  &_v8, 0, 0);
										__eflags = _t154;
										if(__eflags != 0) {
											_t45 = _t154 + 1; // 0x1
											_t105 = _t45;
											_push( ~(0 | __eflags > 0x00000000) | _t45 * 0x00000002);
											_t147 = E00ACACEC();
											_t163 = _t163 + 4;
											__eflags = _t147;
											if(_t147 != 0) {
												_t88 = E00ACE440(_t147, _t105, _v8);
												__eflags = _t88;
												if(_t88 < 0) {
													_t154 = 0;
													__imp__??_V@YAXPAX@Z(_t147);
													_t163 = _t163 + 4;
													_t147 = 0;
													__eflags = 0;
												}
											}
											LocalFree(_v8);
											__eflags = _t154;
											if(_t154 != 0) {
												_t85 =  *0xad16fc; // 0x3463d68
												 *0xad2204(_t85, 0, 0x16, _a12, _a8, _t147);
												 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 4))))();
												_t163 = _t163 + 0x18;
												__eflags = _t147;
												if(_t147 != 0) {
													__imp__??_V@YAXPAX@Z(_t147);
													_t163 = _t163 + 4;
												}
											}
										}
										_push(_v20);
										goto L11;
									}
								}
							} else {
								_push(_t146);
								_push(_a12);
								_push(0xe);
								goto L16;
							}
						} else {
							_push(_t146);
							_push(_a12);
							_push(0x18);
							L16:
							_t89 =  *0xad16fc; // 0x3463d68
							 *0xad2204(_t89, 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t89 + 4))))();
							__eflags = 0;
							 *_a16 = 0;
							return 0;
						}
					} else {
						_v8 = 0;
						_t159 = FormatMessageW(0x1100, 0, _t67, 0,  &_v8, 0, 0);
						_t172 = _t159;
						if(_t172 != 0) {
							_t11 = _t159 + 1; // 0x1
							_t107 = _t11;
							_push( ~(0 | _t172 > 0x00000000) | _t11 * 0x00000002);
							_t149 = E00ACACEC();
							_t167 = _t162 + 4;
							if(_t149 != 0 && E00ACE440(_t149, _t107, _v8) < 0) {
								_t159 = 0;
								__imp__??_V@YAXPAX@Z(_t149);
								_t167 = _t167 + 4;
								_t149 = 0;
							}
							LocalFree(_v8);
							if(_t159 != 0) {
								_t99 =  *0xad16fc; // 0x3463d68
								 *0xad2204(_t99, 0, 0x16, _a12, _a8, _t149);
								 *((intOrPtr*)( *((intOrPtr*)( *_t99 + 4))))();
								_t163 = _t167 + 0x18;
								if(_t149 != 0) {
									_push(_t149);
									L11:
									__imp__??_V@YAXPAX@Z();
								}
							}
						}
						goto L12;
					}
				}
			}

0x00aca0e8
0x00aca0eb
0x00aca0f2
0x00aca0fa
0x00aca100
0x00aca1ea
0x00aca1ea
0x00aca1ec
0x00000000
0x00aca120
0x00aca120
0x00aca131
0x00aca139
0x00aca1fe
0x00aca202
0x00aca239
0x00aca23c
0x00aca23e
0x00aca249
0x00aca252
0x00aca25e
0x00aca264
0x00aca266
0x00aca269
0x00aca26c
0x00aca26e
0x00aca379
0x00aca37c
0x00aca37e
0x00aca388
0x00aca274
0x00aca276
0x00aca289
0x00aca28f
0x00aca291
0x00aca34c
0x00aca34f
0x00aca1ee
0x00aca1f1
0x00aca1fb
0x00aca355
0x00aca355
0x00aca36e
0x00aca374
0x00000000
0x00aca376
0x00aca297
0x00aca29e
0x00aca2b6
0x00aca2b8
0x00aca2ba
0x00aca2c2
0x00aca2c2
0x00aca2d5
0x00aca2db
0x00aca2dd
0x00aca2e0
0x00aca2e2
0x00aca2eb
0x00aca2f0
0x00aca2f2
0x00aca2f5
0x00aca2f7
0x00aca2fd
0x00aca300
0x00aca300
0x00aca300
0x00aca2f2
0x00aca305
0x00aca30b
0x00aca30d
0x00aca30f
0x00aca329
0x00aca32f
0x00aca331
0x00aca334
0x00aca336
0x00aca339
0x00aca33f
0x00aca33f
0x00aca336
0x00aca30d
0x00aca342
0x00000000
0x00aca342
0x00aca291
0x00aca240
0x00aca243
0x00aca244
0x00aca245
0x00000000
0x00aca245
0x00aca204
0x00aca207
0x00aca208
0x00aca209
0x00aca20b
0x00aca20b
0x00aca21a
0x00aca220
0x00aca22a
0x00aca22c
0x00aca236
0x00aca236
0x00aca13f
0x00aca146
0x00aca15e
0x00aca160
0x00aca162
0x00aca16a
0x00aca16a
0x00aca17d
0x00aca183
0x00aca185
0x00aca18a
0x00aca19d
0x00aca19f
0x00aca1a5
0x00aca1a8
0x00aca1a8
0x00aca1ad
0x00aca1b5
0x00aca1b7
0x00aca1d1
0x00aca1d7
0x00aca1d9
0x00aca1de
0x00aca1e0
0x00aca1e1
0x00aca1e1
0x00aca1e7
0x00aca1de
0x00aca1b5
0x00000000
0x00aca162
0x00aca139

APIs

RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00002014,00002014,00000001), ref: 00ACA131
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,FFFFFFFF,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00002014,00002014,00000001), ref: 00ACA158
??_V@YAXPAX@Z.MSVCRT ref: 00ACA19F
LocalFree.KERNEL32(00000000), ref: 00ACA1AD
??_V@YAXPAX@Z.MSVCRT ref: 00ACA1E1
RegQueryValueExW.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000), ref: 00ACA289
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,FFFFFFFF,00000000,00000000), ref: 00ACA2B0
??_V@YAXPAX@Z.MSVCRT ref: 00ACA2F7
LocalFree.KERNEL32(00000000), ref: 00ACA305
??_V@YAXPAX@Z.MSVCRT ref: 00ACA339

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: FormatFreeLocalMessageQueryValue
String ID:
API String ID: 2342285590-0
Opcode ID: f491b1c029db0aa09d7df84586e5e867f2a5337d1153c523b2cc94a0f0bb8c47
Instruction ID: 1600f27b1a432c2a91bfc058966f4a101c46b3ed90f632763a4d459052444642
Opcode Fuzzy Hash: f491b1c029db0aa09d7df84586e5e867f2a5337d1153c523b2cc94a0f0bb8c47
Instruction Fuzzy Hash: C181E176A01209ABDB24CF94DC19FBB77A9AB94700F05411DFD16AB390DB71AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB4F0 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00ACB4F0() {

				SetUnhandledExceptionFilter(E00ACB4A0); // executed
				return 0;
			}

0x00acb4f5
0x00acb4fd

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000B4A0), ref: 00ACB4F5

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 82029b851b230781849ae0c5aed4df57892ab145aa0d347be559fd19ef676c19
Instruction ID: a84bc40ecc22fd72561ffab96b53f37cd9205097f7bb7ff66c01816ece7c7b2f
Opcode Fuzzy Hash: 82029b851b230781849ae0c5aed4df57892ab145aa0d347be559fd19ef676c19
Instruction Fuzzy Hash: E290026426620457861857B05E4AB0536946B68617B930865A112D4155DB515441D621

Uniqueness

Uniqueness Score: -1.00%

Function 07C394D8 Relevance: .7, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790c14332589d96ec71076c74e65759defbb862d0c246d507367a0f96d6e53be
Instruction ID: dc65aceafbb4e4311e67825fe3639c25e3133ddc9070f70dd31b6f659430c043
Opcode Fuzzy Hash: 790c14332589d96ec71076c74e65759defbb862d0c246d507367a0f96d6e53be
Instruction Fuzzy Hash: 82529FB0600209CFDB14DF64D898BAA73B6FF85308F1485A9D90AAB7A0DB71ED45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AC90E0 Relevance: 47.7, APIs: 20, Strings: 7, Instructions: 444
registrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E00AC90E0(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				void* _v52;
				signed char _v68;
				void* _v72;
				void* _v104;
				void* _v108;
				char _v116;
				signed int _v120;
				int* _v124;
				int* _v132;
				int* _v136;
				void* _v144;
				void* _v148;
				short* _v152;
				int* _v156;
				void* _v160;
				void* _v164;
				void* _v168;
				int* _v172;
				void* _v176;
				int* _v180;
				int _v184;
				void* _v188;
				void* _v192;
				void* _v196;
				void* _v200;
				void* _v204;
				char _v208;
				void* _v209;
				void* _v212;
				void* _v216;
				void* _v220;
				void* _v224;
				void* _v228;
				void* _v232;
				void* _v233;
				void* _v236;
				void* _v240;
				void* _v244;
				void* _v248;
				void* _v252;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t127;
				struct HINSTANCE__* _t140;
				long _t145;
				signed int _t150;
				int* _t151;
				signed int _t152;
				intOrPtr* _t154;
				int* _t158;
				void* _t159;
				int* _t160;
				int* _t161;
				int* _t164;
				signed int _t166;
				int* _t171;
				int* _t172;
				intOrPtr* _t173;
				int* _t177;
				int* _t181;
				signed int _t183;
				signed int _t187;
				int* _t194;
				int* _t196;
				void* _t197;
				signed int _t199;
				int* _t206;
				intOrPtr* _t209;
				void* _t214;
				signed int _t215;
				void* _t216;
				int* _t217;
				void* _t220;
				short* _t221;
				short* _t222;
				int _t227;
				signed int _t228;
				signed int _t229;
				void* _t238;
				void* _t241;
				int* _t242;
				void* _t243;
				signed int _t246;
				void* _t250;
				void* _t251;
				signed int _t252;
				int* _t253;
				signed int _t255;
				int* _t256;
				wchar_t* _t257;
				signed int _t259;
				signed int _t262;
				signed int _t264;
				signed int _t267;
				signed int _t269;

				_t269 = (_t267 & 0xffffffc0) - 0xb4;
				_t127 =  *0xad1368; // 0x96213ca
				_v8 = _t127 ^ _t269;
				_t215 = _a8;
				_v120 = _t215;
				_v176 = 0;
				_v124 = 0;
				_v172 = 0;
				_v144 = 0;
				_v136 = 0;
				__imp__SetThreadUILanguage(0, _t241, _t250, _t214); // executed
				if(E00ACA830(_t238, __ecx) != 0) {
					GetStartupInfoW(_t269 + 0x58);
					if((_v68 & 0x00000001) != 0) {
						_t273 =  *((short*)(_t269 + 0x88));
						if( *((short*)(_t269 + 0x88)) != 0) {
							E00ACD7FE(_t215, _t269 + 0x58, _t241, _t250, _t273); // executed
						}
					}
				}
				_v184 = 0xffffffff;
				_v164 = 0xffffffff;
				_v160 = 0xffffffff;
				_v152 = 0xffffffff;
				_v156 = 0xffffffff;
				_v144 = 0xffffffff;
				_t239 = _t215;
				_t242 = E00ACA5B0(_a4, _t215,  &_v180,  &_v184,  &_v164,  &_v160,  &_v148,  &_v152, _t269 + 0x50,  &_v156,  &_v144);
				if(_t242 != 0) {
					L70:
					_t140 =  *0xad1928; // 0x0
					if(_t140 != 0) {
						FreeLibrary(_t140);
					}
					_pop(_t243);
					_pop(_t251);
					_pop(_t216);
					return E00ACAFD0(_t242, _t216,  *(_t269 + 0xbc) ^ _t269, _t239, _t243, _t251);
				}
				_t145 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\MiniNT", _t242, 0x20019,  &_v144); // executed
				if(_t145 != 0) {
					_t227 = _v184;
					__eflags = _t227 - 2;
					if(_t227 != 2) {
						L11:
						__eflags = _t227 - 4;
						if(_t227 == 4) {
							L13:
							_v184 = 3;
							goto L14;
						}
						__eflags = _t227 - 5;
						if(_t227 != 5) {
							goto L14;
						}
						goto L13;
					} else {
						_v184 = 1;
						L14:
						_t252 = _v160;
						__eflags = _t252 - 0xffffffff;
						 *((char*)(_t269 + 0x2f)) = _t252 == 0xffffffff;
						_t150 = E00AC9B00( &_v180,  &_v184, _v164,  &_v176, _t227, _t269 + 0x3c); // executed
						_t242 = _t150;
						__eflags = _t242;
						if(_t242 != 0) {
							_t151 = _v176;
							_t217 = _v180;
							_t253 =  *(_t269 + 0x3c);
							goto L64;
						} else {
							_t152 = _t150 | 0xffffffff;
							__eflags = _t252 - _t152;
							if(_t252 > _t152) {
								_t152 = _t252;
							}
							_t228 = _v156;
							__eflags = _t228 - _t152;
							if(_t228 > _t152) {
								_t152 = _t228;
							}
							_t229 = _v152;
							__eflags = _t229 - _t152;
							if(_t229 > _t152) {
								_t152 = _t229;
							}
							_t230 = _v148;
							_v164 = _t230;
							__eflags = _v184 - 2;
							_v144 = _t152 + 1;
							_t220 = 1 + (0 | _v184 != 0x00000002) * 2;
							__eflags = _t230;
							if(_t230 != 0) {
								_t154 =  *0xad1704; // 0x3463d68
								_t255 =  *( *_t154 + 4);
								_t230 = _t255;
								 *0xad2204(_t154, 0, 0x24, _t230);
								 *_t255();
								_t269 = _t269 + 0x10;
								_v160 = _v176;
							} else {
								_v164 = _v176;
								_v160 = _t230;
							}
							_t256 = _v180;
							_v132 = _t256;
							_v168 = 0;
							_v136 = 0;
							_v156 = 0;
							_v184 = 0;
							__eflags = _t256;
							if(_t256 != 0) {
								_v152 = 0;
								_t158 = E00ACA390(_t256);
								__eflags = _t158;
								if(_t158 != 0) {
									L44:
									_t221 = 0;
									__eflags = 0;
									goto L45;
								}
								__imp___itow_s(_t220, _t269 + 0xac, 0xb, 0xa);
								_t269 = _t269 + 0x10;
								_v148 = 0;
								_v176 = 0;
								_t177 = E00ACA390(_t256);
								__eflags = _t177;
								if(_t177 != 0) {
									L38:
									_t242 = 0xfffb0000;
									L39:
									__eflags = _t242;
									if(_t242 != 0) {
										_t221 = 0;
										goto L46;
									}
									_t181 = E00ACA3B0(0xad16f8, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!\\PowerShellEngine",  &_v152,  &_v120, 0x17, _t269 + 0xa4);
									_t269 = _t269 + 0x18;
									__eflags = _t181;
									if(_t181 == 0) {
										goto L44;
									}
									_t221 = _v152;
									_t183 = RegOpenKeyExW(0x80000002, _t221, _t242, 0x20019,  &_v168); // executed
									_t230 = _t183;
									__eflags = _t230;
									if(_t230 == 0) {
										goto L46;
									}
									__eflags = _t230 - 2;
									if(_t230 != 2) {
										_t246 =  *0xad16fc; // 0x3463d68
										 *0xad2204(_t230, 0x14, _t221);
										_t230 = _t246;
										 *((intOrPtr*)( *((intOrPtr*)( *_t246 + 8))))();
									} else {
										_t187 =  *0xad16fc; // 0x3463d68
										_t262 =  *( *_t187 + 4);
										_t230 = _t262;
										 *0xad2204(_t187, _t242, 0x27, _t221, _v180);
										 *_t262();
										_t269 = _t269 + 0x14;
									}
									goto L44;
								}
								__eflags = 0 -  *((intOrPtr*)(_t269 + 0xa4));
								if(0 ==  *((intOrPtr*)(_t269 + 0xa4))) {
									goto L38;
								}
								_t194 = E00ACA3B0(0xad16f8, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!",  &_v148,  &_v120, 0x17, _t269 + 0xa4);
								_t222 = _v148;
								_t269 = _t269 + 0x18;
								__eflags = _t194;
								if(_t194 != 0) {
									_t196 = RegOpenKeyExW(0x80000002, _t222, 0, 0x20019,  &_v176); // executed
									__eflags = _t196;
									if(_t196 != 0) {
										_t83 = _t196 - 2; // -2
										_t199 =  *0xad16fc; // 0x3463d68
										asm("sbb edi, edi");
										_t242 = ( ~_t83 & 0x00010000) + 0xfffa0000;
										__eflags = _t242;
										_t264 =  *( *_t199 + 4);
										_t230 = _t264;
										 *0xad2204(_t199, 0, 0x19, _v180);
										 *_t264();
										_t269 = _t269 + 0x10;
									}
								} else {
									_t242 = 0xfffb0000;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__imp__??_V@YAXPAX@Z(_t222);
									_t269 = _t269 + 4;
								}
								_t197 = _v176;
								__eflags = _t197;
								if(_t197 != 0) {
									RegCloseKey(_t197);
									_v176 = 0;
								}
								goto L39;
							} else {
								_t206 = E00AC96A0( &_v168,  &_v136,  &_v132,  &_v116);
								_t221 = _v152;
								__eflags = _t206;
								if(_t206 == 0) {
									L45:
									_t242 = 0xfffb0000;
									L46:
									__eflags = _t242;
									if(_t242 == 0) {
										_t164 = RegQueryValueExW(_v168, L"NetFrameworkV4IsInstalled", _t242, _t242, _t242,  &_v184); // executed
										__eflags = _t164;
										if(__eflags == 0) {
											_t166 = _v184 >> 1;
											_t239 = _t166 * 2 >> 0x20;
											_t230 =  ~(__eflags > 0) | _t166 * 0x00000002;
											_push( ~(__eflags > 0) | _t166 * 0x00000002);
											_t257 = E00ACACEC();
											_t269 = _t269 + 4;
											_v156 = _t257;
											__eflags = _t257;
											if(_t257 != 0) {
												memset(_t257, 0, _v184);
												_t269 = _t269 + 0xc;
												_t171 = RegQueryValueExW(_v168, L"NetFrameworkV4IsInstalled", 0, 0, _t257,  &_v184);
												__eflags = _t171;
												if(_t171 == 0) {
													_t172 = wcsncmp(_t257, L"No", 2);
													_t269 = _t269 + 0xc;
													__eflags = _t172;
													if(_t172 == 0) {
														_t173 =  *0xad1704; // 0x3463d68
														_t242 = 0xffff0000;
														_t259 =  *( *_t173 + 4);
														_t230 = _t259;
														 *0xad2204(_t173, 0, 3, _v164, _v132);
														 *_t259();
														_t269 = _t269 + 0x14;
													}
												}
											} else {
												_t242 = 0xffff0000;
											}
										}
									}
									_t159 = _v168;
									__eflags = _t159;
									if(_t159 != 0) {
										RegCloseKey(_t159);
										_v168 = 0;
									}
									__eflags = _t221;
									if(_t221 != 0) {
										__imp__??_V@YAXPAX@Z(_t221);
										_t269 = _t269 + 4;
									}
									_t160 = _v156;
									__eflags = _t160;
									if(_t160 != 0) {
										__imp__??_V@YAXPAX@Z(_t160);
										_t269 = _t269 + 4;
									}
									_t253 =  *(_t269 + 0x3c);
									_t217 = _v180;
									__eflags = _t242;
									if(_t242 == 0) {
										_t161 = L00AC8A00(_t217,  *((intOrPtr*)(_t269 + 0x60)), _v164, _t253, _t230, _v144, _a4, _v124); // executed
										_t242 = _t161;
									}
									_t151 = _v160;
									L64:
									__eflags = _t151;
									if(_t151 != 0) {
										__imp__??_V@YAXPAX@Z(_t151);
										_t269 = _t269 + 4;
									}
									__eflags = _t253;
									if(_t253 != 0) {
										__imp__??_V@YAXPAX@Z(_t253);
										_t269 = _t269 + 4;
									}
									__eflags =  *((char*)(_t269 + 0x1f));
									if( *((char*)(_t269 + 0x1f)) != 0) {
										__imp__??_V@YAXPAX@Z(_t217);
										_t269 = _t269 + 4;
									}
									goto L70;
								}
								goto L46;
							}
						}
					}
				}
				RegCloseKey(_v144);
				_t227 = _v184;
				if(_t227 == 1 || _t227 == 2) {
					_t209 =  *0xad1704; // 0x3463d68
					_t242 = 0x23;
					_v208 =  *0xac6898;
					 *0xad2204(_t209, 0, 0x23, _t227);
					 *((intOrPtr*)( *((intOrPtr*)( *_t209 + 4))))();
					_t269 = _t269 - 8 + 0x18;
					goto L70;
				} else {
					goto L11;
				}
			}

0x00ac90e8
0x00ac90ee
0x00ac90f5
0x00ac90fd
0x00ac9104
0x00ac9108
0x00ac9110
0x00ac9118
0x00ac9120
0x00ac9128
0x00ac9130
0x00ac913e
0x00ac9145
0x00ac9153
0x00ac9155
0x00ac915e
0x00ac9164
0x00ac9164
0x00ac915e
0x00ac9153
0x00ac9175
0x00ac9182
0x00ac918f
0x00ac919c
0x00ac91a9
0x00ac91b6
0x00ac91c3
0x00ac91d0
0x00ac91d4
0x00ac9660
0x00ac9660
0x00ac9667
0x00ac966a
0x00ac966a
0x00ac9679
0x00ac967a
0x00ac967b
0x00ac9686
0x00ac9686
0x00ac91ef
0x00ac91f7
0x00ac9243
0x00ac9247
0x00ac924a
0x00ac9256
0x00ac9256
0x00ac9259
0x00ac9260
0x00ac9260
0x00000000
0x00ac9260
0x00ac925b
0x00ac925e
0x00000000
0x00000000
0x00000000
0x00ac924c
0x00ac924c
0x00ac9268
0x00ac9268
0x00ac9276
0x00ac9282
0x00ac928d
0x00ac9292
0x00ac9294
0x00ac9296
0x00ac9687
0x00ac968b
0x00ac968f
0x00000000
0x00ac929c
0x00ac929c
0x00ac929f
0x00ac92a1
0x00ac92a3
0x00ac92a3
0x00ac92a5
0x00ac92a9
0x00ac92ab
0x00ac92ad
0x00ac92ad
0x00ac92af
0x00ac92b3
0x00ac92b5
0x00ac92b7
0x00ac92b7
0x00ac92b9
0x00ac92c0
0x00ac92c4
0x00ac92c9
0x00ac92d0
0x00ac92d7
0x00ac92d9
0x00ac92e9
0x00ac92f6
0x00ac92f9
0x00ac92fb
0x00ac9301
0x00ac9307
0x00ac930a
0x00ac92db
0x00ac92df
0x00ac92e3
0x00ac92e3
0x00ac930e
0x00ac9314
0x00ac9318
0x00ac9320
0x00ac9328
0x00ac9330
0x00ac9338
0x00ac933a
0x00ac9367
0x00ac936b
0x00ac9370
0x00ac9372
0x00ac94e2
0x00ac94e2
0x00ac94e2
0x00000000
0x00ac94e2
0x00ac9385
0x00ac938b
0x00ac9390
0x00ac9394
0x00ac9399
0x00ac939e
0x00ac93a0
0x00ac9461
0x00ac9461
0x00ac9466
0x00ac9466
0x00ac9468
0x00ac9560
0x00000000
0x00ac9560
0x00ac948c
0x00ac9491
0x00ac9494
0x00ac9496
0x00000000
0x00000000
0x00ac9498
0x00ac94ad
0x00ac94b3
0x00ac94b5
0x00ac94b7
0x00000000
0x00000000
0x00ac94b9
0x00ac94bc
0x00ac9543
0x00ac9554
0x00ac955a
0x00ac955c
0x00ac94c2
0x00ac94c2
0x00ac94d2
0x00ac94d5
0x00ac94d7
0x00ac94dd
0x00ac94df
0x00ac94df
0x00000000
0x00ac94bc
0x00ac93a8
0x00ac93b0
0x00000000
0x00000000
0x00ac93d4
0x00ac93d9
0x00ac93dd
0x00ac93e0
0x00ac93e2
0x00ac93fd
0x00ac9403
0x00ac9405
0x00ac940b
0x00ac940e
0x00ac9417
0x00ac9424
0x00ac9424
0x00ac942a
0x00ac942d
0x00ac942f
0x00ac9435
0x00ac9437
0x00ac9437
0x00ac93e4
0x00ac93e4
0x00ac93e4
0x00ac943a
0x00ac943c
0x00ac943f
0x00ac9445
0x00ac9445
0x00ac9448
0x00ac944c
0x00ac944e
0x00ac9451
0x00ac9457
0x00ac9457
0x00000000
0x00ac933c
0x00ac9350
0x00ac9355
0x00ac9359
0x00ac935b
0x00ac94e4
0x00ac94e4
0x00ac94e9
0x00ac94e9
0x00ac94eb
0x00ac9502
0x00ac9508
0x00ac950a
0x00ac9516
0x00ac951d
0x00ac9524
0x00ac9526
0x00ac952c
0x00ac952e
0x00ac9531
0x00ac9535
0x00ac9537
0x00ac956b
0x00ac9570
0x00ac9586
0x00ac958c
0x00ac958e
0x00ac9598
0x00ac959e
0x00ac95a1
0x00ac95a3
0x00ac95a9
0x00ac95ae
0x00ac95be
0x00ac95c1
0x00ac95c3
0x00ac95c9
0x00ac95cb
0x00ac95cb
0x00ac95a3
0x00ac9539
0x00ac9539
0x00ac9539
0x00ac9537
0x00ac950a
0x00ac95ce
0x00ac95d2
0x00ac95d4
0x00ac95d7
0x00ac95dd
0x00ac95dd
0x00ac95e5
0x00ac95e7
0x00ac95ea
0x00ac95f0
0x00ac95f0
0x00ac95f3
0x00ac95f7
0x00ac95f9
0x00ac95fc
0x00ac9602
0x00ac9602
0x00ac9605
0x00ac9609
0x00ac960d
0x00ac960f
0x00ac9628
0x00ac962d
0x00ac962d
0x00ac962f
0x00ac9633
0x00ac9633
0x00ac9635
0x00ac9638
0x00ac963e
0x00ac963e
0x00ac9641
0x00ac9643
0x00ac9646
0x00ac964c
0x00ac964c
0x00ac964f
0x00ac9654
0x00ac9657
0x00ac965d
0x00ac965d
0x00000000
0x00ac9654
0x00000000
0x00ac9361
0x00ac933a
0x00ac9296
0x00ac924a
0x00ac91fd
0x00ac9203
0x00ac920a
0x00ac9211
0x00ac921f
0x00ac9226
0x00ac9233
0x00ac9239
0x00ac923b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

SetThreadUILanguage.KERNELBASE ref: 00AC9130

Part of subcall function 00ACA830: memset.MSVCRT ref: 00ACA871
Part of subcall function 00ACA830: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 00ACA890
Part of subcall function 00ACA830: VerSetConditionMask.KERNEL32(00000000), ref: 00ACA898
Part of subcall function 00ACA830: VerSetConditionMask.KERNEL32(00000000), ref: 00ACA8A0
Part of subcall function 00ACA830: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00ACA8CB

GetStartupInfoW.KERNEL32(?), ref: 00AC9145
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\MiniNT,00000000,00020019,00000000,FFFFFFFF,FFFFFFFF,?,?,?,?,?,?,00000000), ref: 00AC91EF
RegCloseKey.ADVAPI32(00000000), ref: 00AC91FD
_itow_s.MSVCRT ref: 00AC9385
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,?,?,?,?,?,?,?), ref: 00AC93FD
??_V@YAXPAX@Z.MSVCRT ref: 00AC943F
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?), ref: 00AC9451
RegOpenKeyExW.KERNELBASE(80000002,?,FFFB0000,00020019,?,?,?,?,?,?,?), ref: 00AC94AD

Part of subcall function 00ACD7FE: __EH_prolog3.LIBCMT ref: 00ACD805
Part of subcall function 00ACD7FE: CoInitialize.OLE32(00000000), ref: 00ACD80F
Part of subcall function 00ACD7FE: CoCreateInstance.OLE32(00AC3DB8,00000000,00000001,00AC4688,?), ref: 00ACD82F

RegQueryValueExW.KERNELBASE(?,NetFrameworkV4IsInstalled,FFFB0000,FFFB0000,FFFB0000,00000000,?), ref: 00AC9502
memset.MSVCRT ref: 00AC956B
RegQueryValueExW.ADVAPI32(?,NetFrameworkV4IsInstalled,00000000,00000000,00000000,?), ref: 00AC9586
wcsncmp.MSVCRT(00000000,00AC4084,00000002), ref: 00AC9598
RegCloseKey.ADVAPI32(00000000,?), ref: 00AC95D7
??_V@YAXPAX@Z.MSVCRT ref: 00AC95EA
??_V@YAXPAX@Z.MSVCRT ref: 00AC95FC
??_V@YAXPAX@Z.MSVCRT ref: 00AC9638
??_V@YAXPAX@Z.MSVCRT ref: 00AC9646
??_V@YAXPAX@Z.MSVCRT ref: 00AC9657
FreeLibrary.KERNEL32(00000000,FFFFFFFF,FFFFFFFF,?,?,?,?,?,?,00000000), ref: 00AC966A

Strings

Start, xrefs: 00AC8D6D
SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine, xrefs: 00AC9482
Microsoft.PowerShell.UnmanagedPSEntry, xrefs: 00AC8C4E
SOFTWARE\Microsoft\PowerShell\%1!ls!, xrefs: 00AC93CA
NetFrameworkV4IsInstalled, xrefs: 00AC94F9, 00AC957D
SYSTEM\CurrentControlSet\Control\MiniNT, xrefs: 00AC91E5
wks, xrefs: 00AC8A7B

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CloseConditionMaskOpen$InfoQueryValuememset$CreateFreeH_prolog3InitializeInstanceLanguageLibraryStartupThreadVerifyVersion_itow_swcsncmp
String ID: Microsoft.PowerShell.UnmanagedPSEntry$NetFrameworkV4IsInstalled$SOFTWARE\Microsoft\PowerShell\%1!ls!$SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine$SYSTEM\CurrentControlSet\Control\MiniNT$Start$wks
API String ID: 4049126617-3807573465
Opcode ID: 8464e254d262da4b53e413557e37e3d59a9cf562411c145a24b33ca5c0b21f27
Instruction ID: a2eaf1107e2b621a3000178b01eaa9dc36ab59b6c4417a872e570a4f3cac98cf
Opcode Fuzzy Hash: 8464e254d262da4b53e413557e37e3d59a9cf562411c145a24b33ca5c0b21f27
Instruction Fuzzy Hash: 2FF17B71608345ABD720CF64CD89FABBBE8BF88714F05091EFA9697290D770D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AC9B00 Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 489
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00AC9B00(wchar_t* _a4, wchar_t** _a8, intOrPtr _a12, intOrPtr _a16, short* _a24) {
				signed int _v8;
				char _v32;
				intOrPtr _v44;
				char _v45;
				wchar_t* _v52;
				wchar_t* _v56;
				short _v60;
				void* _v64;
				wchar_t* _v68;
				wchar_t* _v72;
				wchar_t* _v76;
				wchar_t* _v80;
				long _v84;
				wchar_t** _v88;
				wchar_t* _v92;
				intOrPtr _v96;
				short* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				void* _t111;
				wchar_t* _t112;
				short _t113;
				void* _t116;
				long _t117;
				signed int _t119;
				long _t123;
				long _t128;
				long _t137;
				long _t145;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				long _t150;
				long _t160;
				void* _t166;
				long _t172;
				void* _t179;
				long _t181;
				void* _t182;
				long _t184;
				void* _t189;
				intOrPtr _t190;
				int _t191;
				wchar_t** _t196;
				signed int _t219;
				wchar_t* _t220;
				long _t221;
				void* _t228;
				long _t229;
				short* _t230;
				wchar_t* _t233;
				wchar_t* _t235;
				signed int _t239;
				void* _t240;
				void* _t241;
				short* _t256;

				_t104 =  *0xad1368; // 0x96213ca
				_v8 = _t104 ^ _t239;
				_t226 = _a4;
				_t196 = _a8;
				_v92 = _t226;
				_v88 = _t196;
				_v64 = 0;
				_v45 = 1;
				_v52 = 0;
				_v80 = 0;
				_v60 = 0;
				_t190 = _a16;
				_v96 = _t190;
				_t231 = _a24;
				_v100 = _t231;
				if(_t226 == 0 || _t196 == 0 || _t190 == 0 || _t231 == 0) {
					return E00ACAFD0(0xfffb0000, _t190, _v8 ^ _t239, _t226, _t228, _t231);
				} else {
					_t229 =  *_t226;
					_t191 = 0;
					_v72 = _t229;
					if(_t229 != 0) {
						_t226 =  *_t196;
						_v56 = 0;
						if(E00ACA390(_t229) != 0) {
							L27:
							_t110 = 0;
							goto L28;
						} else {
							if(_t226 == 4 || _t226 == 5) {
								_t226 = 3;
							}
							__imp___itow_s(_t226,  &_v32, 0xb, 0xa);
							_t240 = _t240 + 0x10;
							_v76 = 0;
							_v68 = 0;
							if(E00ACA390(_t229) != 0 || 0 == _v32) {
								_t191 = 0xfffb0000;
							} else {
								_t179 = E00ACA3B0(0xad16f8, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!",  &_v76,  &_v84, 0x17,  &_v32);
								_t230 = _v76;
								_t240 = _t240 + 0x18;
								if(_t179 != 0) {
									_t181 = RegOpenKeyExW(0x80000002, _t230, 0, 0x20019,  &_v68);
									if(_t181 != 0) {
										_t31 = _t181 - 2; // -2
										_t184 =  *0xad16fc; // 0x3463d68
										asm("sbb ebx, ebx");
										_t191 = ( ~_t31 & 0x00010000) + 0xfffa0000;
										_t231 =  *( *_t184 + 4);
										 *0xad2204(_t184, 0, 0x19, _v72);
										 *( *( *_t184 + 4))();
										_t240 = _t240 + 0x10;
									}
								} else {
									_t191 = 0xfffb0000;
								}
								if(_t230 != 0) {
									__imp__??_V@YAXPAX@Z(_t230);
									_t240 = _t240 + 4;
								}
								_t182 = _v68;
								if(_t182 != 0) {
									RegCloseKey(_t182);
									_v68 = 0;
								}
								_t229 = _v72;
							}
							if(_t191 != 0) {
								_t110 = 0;
							} else {
								_t166 = E00ACA3B0(0xad16f8, L"SOFTWARE\\Microsoft\\PowerShell\\%1!ls!\\PowerShellEngine",  &_v56,  &_v84, 0x17,  &_v32);
								_t240 = _t240 + 0x18;
								if(_t166 == 0) {
									goto L27;
								} else {
									_t231 = _v56;
									_t221 = RegOpenKeyExW(0x80000002, _t231, _t191, 0x20019,  &_v64);
									if(_t221 == 0) {
										_t110 = _t231;
										_v52 = _t231;
									} else {
										if(_t221 != 2) {
											_t229 =  *0xad16fc; // 0x3463d68
											_t231 =  *( *_t229 + 8);
											 *0xad2204(_t221, 0x14, _t231);
											 *( *( *_t229 + 8))();
										} else {
											_t172 =  *0xad16fc; // 0x3463d68
											_t231 =  *( *_t172 + 4);
											 *0xad2204(_t172, _t191, 0x27, _v56, _t229);
											 *( *( *_t172 + 4))();
											_t240 = _t240 + 0x14;
										}
										goto L27;
									}
								}
							}
						}
					} else {
						_t189 = E00AC96A0( &_v64,  &_v80, _t226, _t196); // executed
						_t110 = _v80;
						_v52 = _v80;
						if(_t189 == 0) {
							L28:
							_t191 = 0xfffb0000;
						} else {
						}
					}
					if(_t191 == 0) {
						_t111 = E00ACA0E0(_v64, L"PowerShellVersion", _t110,  &_v60); // executed
						if(_t111 == 0) {
							L61:
							_t191 = 0xfffb0000;
						} else {
							_t233 = _v60;
							if(E00ACA390(_t233) != 0) {
								L60:
								_t128 =  *0xad16fc; // 0x3463d68
								_t231 =  *( *_t128 + 4);
								 *0xad2204(_t128, 0, 0x1b, _v52, L"PowerShellVersion");
								 *( *( *_t128 + 4))();
								_t240 = _t240 + 0x14;
								goto L61;
							} else {
								_t229 = wcschr(_t233, 0x2e);
								_t240 = _t240 + 8;
								if(_t229 == 0) {
									goto L60;
								} else {
									_t226 = _t233;
									if( *_t229 - 0x30 <= 9 || _t226 == 0 || 0 ==  *_t233 || _t226 >= _t229) {
										goto L60;
									} else {
										while( *_t226 == 0x30) {
											_t226 =  &(_t226[0]);
											if(_t226 < _t229) {
												continue;
											}
											break;
										}
										if((_t229 - _t226 & 0xfffffffe) > 0x14) {
											goto L60;
										} else {
											_v76 = 0;
											_t137 = wcstoul(_t226,  &_v76, 0xa);
											_t240 = _t240 + 0xc;
											_v84 = _t137;
											if(_t229 != _v76 || _t137 > 0x7fffffff) {
												goto L60;
											} else {
												_v56 = 0;
												while(1) {
													_t54 = _t229 + 2; // 0x2
													_t235 = _t54;
													_t229 = wcschr(_t235, 0x2e);
													_t240 = _t240 + 8;
													if(_t229 == 0) {
														break;
													}
													if( *_t229 - 0x30 <= 9 || _t235 == 0 || 0 ==  *_t235 || _t235 >= _t229) {
														goto L60;
													} else {
														while( *_t235 == 0x30) {
															_t235 =  &(_t235[0]);
															if(_t235 < _t229) {
																continue;
															}
															break;
														}
														if((_t229 - _t235 & 0xfffffffe) > 0x14) {
															goto L60;
														} else {
															_v72 = 0;
															_t160 = wcstoul(_t235,  &_v72, 0xa);
															_t240 = _t240 + 0xc;
															if(_t229 != _v72 || _t160 > 0x7fffffff) {
																goto L60;
															} else {
																_t219 = _v56;
																 *(_t239 + _t219 * 4 - 0x28) = _t160;
																_t220 = _t219 + 1;
																_v56 = _t220;
																if(_t220 <= 2) {
																	continue;
																} else {
																	goto L60;
																}
															}
														}
													}
													goto L62;
												}
												_t229 = wcschr(_t235, 0);
												_t240 = _t240 + 8;
												if(_t229 == 0 ||  *_t229 - 0x30 <= 9 || _t235 == 0 || 0 ==  *_t235 || _t235 >= _t229) {
													goto L60;
												} else {
													while( *_t235 == 0x30) {
														_t235 =  &(_t235[0]);
														if(_t235 < _t229) {
															continue;
														}
														break;
													}
													if((_t229 - _t235 & 0xfffffffe) > 0x14) {
														goto L60;
													} else {
														_v68 = 0;
														_t145 = wcstoul(_t235,  &_v68, 0xa);
														_t240 = _t240 + 0xc;
														if(_t229 != _v68 || _t145 > 0x7fffffff) {
															goto L60;
														} else {
															 *(_t239 + _v56 * 4 - 0x28) = _t145;
															 *_v88 = _v84;
															_t147 = _a12;
															if(_t147 == 0xffffffff || _v44 >= _t147) {
																_t231 = _v52;
																_t148 = E00ACA0E0(_v64, L"RuntimeVersion", _v52, _v96); // executed
																if(_t148 == 0) {
																	goto L61;
																} else {
																	_t149 = E00ACA0E0(_v64, L"ConsoleHostAssemblyName", _t231, _v100); // executed
																	if(_t149 == 0) {
																		goto L61;
																	}
																}
															} else {
																_t150 =  *0xad16fc; // 0x3463d68
																_t231 =  *( *_t150 + 4);
																 *0xad2204(_t150, 0, 0x1c,  *_v92);
																 *( *( *_t150 + 4))();
																_t240 = _t240 + 0x10;
																_t191 = 0xfffa0000;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_v45 = 0;
					}
					L62:
					_t112 = _v52;
					if(_t112 != 0) {
						__imp__??_V@YAXPAX@Z(_t112);
						_t240 = _t240 + 4;
						_v52 = 0;
					}
					_t113 = _v60;
					if(_t113 != 0) {
						__imp__??_V@YAXPAX@Z(_t113);
						_t240 = _t240 + 4;
					}
					if(_v45 != 0) {
						_t116 = _v64;
						if(_t116 != 0) {
							_t117 = RegCloseKey(_t116); // executed
							if(_t117 != 0) {
								_v60 = 0;
								_t231 = FormatMessageW(0x1100, 0, _t117, 0,  &_v60, 0, 0);
								_t256 = _t231;
								if(_t256 != 0) {
									_t72 =  &(_t231[0]); // 0x1
									_t119 = _t72;
									_t226 = _t119 * 2 >> 0x20;
									_push( ~(0 | _t256 > 0x00000000) | _t119 * 0x00000002);
									_t229 = E00ACACEC();
									_t241 = _t240 + 4;
									if(_t229 != 0) {
										_t80 =  &(_t231[0]); // 0x1
										_t226 = _t80;
										if(E00ACE440(_t229, _t80, _v60) < 0) {
											_t231 = 0;
											__imp__??_V@YAXPAX@Z(_t229);
											_t241 = _t241 + 4;
											_t229 = 0;
										}
									}
									LocalFree(_v60);
									if(_t231 != 0) {
										_t123 =  *0xad16fc; // 0x3463d68
										_t231 =  *( *_t123 + 4);
										 *0xad2204(_t123, 0, 0x15, _v52, _t229);
										 *( *( *_t123 + 4))();
										if(_t229 != 0) {
											__imp__??_V@YAXPAX@Z(_t229);
										}
									}
								}
							}
						}
					}
					return E00ACAFD0(_t191, _t191, _v8 ^ _t239, _t226, _t229, _t231);
				}
			}

0x00ac9b08
0x00ac9b0f
0x00ac9b12
0x00ac9b17
0x00ac9b1a
0x00ac9b1d
0x00ac9b20
0x00ac9b27
0x00ac9b2b
0x00ac9b2e
0x00ac9b31
0x00ac9b35
0x00ac9b38
0x00ac9b3c
0x00ac9b3f
0x00ac9b45
0x00aca0d5
0x00ac9b63
0x00ac9b63
0x00ac9b65
0x00ac9b67
0x00ac9b6c
0x00ac9b90
0x00ac9b93
0x00ac9b9d
0x00ac9cf6
0x00ac9cf6
0x00000000
0x00ac9ba3
0x00ac9ba6
0x00ac9bad
0x00ac9bad
0x00ac9bbb
0x00ac9bc1
0x00ac9bc6
0x00ac9bc9
0x00ac9bd4
0x00ac9d0a
0x00ac9be6
0x00ac9bfe
0x00ac9c03
0x00ac9c06
0x00ac9c0b
0x00ac9c25
0x00ac9c2d
0x00ac9c32
0x00ac9c35
0x00ac9c3e
0x00ac9c4b
0x00ac9c51
0x00ac9c56
0x00ac9c5c
0x00ac9c5e
0x00ac9c5e
0x00ac9c0d
0x00ac9c0d
0x00ac9c0d
0x00ac9c63
0x00ac9c66
0x00ac9c6c
0x00ac9c6c
0x00ac9c6f
0x00ac9c74
0x00ac9c77
0x00ac9c7d
0x00ac9c7d
0x00ac9c84
0x00ac9c84
0x00ac9c89
0x00ac9d38
0x00ac9c8f
0x00ac9ca7
0x00ac9cac
0x00ac9cb1
0x00000000
0x00ac9cb3
0x00ac9cb3
0x00ac9ccc
0x00ac9cd0
0x00ac9d31
0x00ac9d33
0x00ac9cd2
0x00ac9cd5
0x00ac9d14
0x00ac9d20
0x00ac9d25
0x00ac9d2d
0x00ac9cd7
0x00ac9cd7
0x00ac9ce6
0x00ac9ceb
0x00ac9cf1
0x00ac9cf3
0x00ac9cf3
0x00000000
0x00ac9cd5
0x00ac9cd0
0x00ac9cb1
0x00ac9c89
0x00ac9b6e
0x00ac9b78
0x00ac9b7f
0x00ac9b82
0x00ac9b85
0x00ac9cf8
0x00ac9cf8
0x00000000
0x00ac9b8b
0x00ac9b85
0x00ac9cff
0x00ac9d49
0x00ac9d50
0x00ac9ea9
0x00ac9ea9
0x00ac9d56
0x00ac9d56
0x00ac9d61
0x00ac9e85
0x00ac9e85
0x00ac9e99
0x00ac9e9e
0x00ac9ea4
0x00ac9ea6
0x00000000
0x00ac9d67
0x00ac9d70
0x00ac9d72
0x00ac9d77
0x00000000
0x00ac9d7d
0x00ac9d80
0x00ac9d8a
0x00000000
0x00ac9dab
0x00ac9db0
0x00ac9db6
0x00ac9dbb
0x00000000
0x00000000
0x00000000
0x00ac9dbb
0x00ac9dc7
0x00000000
0x00ac9dcd
0x00ac9dd2
0x00ac9ddb
0x00ac9de1
0x00ac9de4
0x00ac9dea
0x00000000
0x00ac9dfb
0x00ac9dfd
0x00ac9e00
0x00ac9e00
0x00ac9e00
0x00ac9e0c
0x00ac9e0e
0x00ac9e13
0x00000000
0x00000000
0x00ac9e24
0x00000000
0x00ac9e35
0x00ac9e35
0x00ac9e3b
0x00ac9e40
0x00000000
0x00000000
0x00000000
0x00ac9e40
0x00ac9e4c
0x00000000
0x00ac9e4e
0x00ac9e53
0x00ac9e5c
0x00ac9e62
0x00ac9e68
0x00000000
0x00ac9e71
0x00ac9e71
0x00ac9e74
0x00ac9e78
0x00ac9e79
0x00ac9e7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac9e7f
0x00ac9e68
0x00ac9e4c
0x00000000
0x00ac9e24
0x00ac9fbe
0x00ac9fc0
0x00ac9fc5
0x00000000
0x00ac9ff7
0x00ac9ff7
0x00ac9ffd
0x00aca002
0x00000000
0x00000000
0x00000000
0x00aca002
0x00aca00e
0x00000000
0x00aca014
0x00aca019
0x00aca022
0x00aca028
0x00aca02e
0x00000000
0x00aca03f
0x00aca042
0x00aca04c
0x00aca04e
0x00aca054
0x00aca089
0x00aca095
0x00aca09c
0x00000000
0x00aca0a2
0x00aca0ae
0x00aca0b5
0x00000000
0x00aca0bb
0x00aca0b5
0x00aca05b
0x00aca05b
0x00aca069
0x00aca071
0x00aca077
0x00aca079
0x00aca07c
0x00aca07c
0x00aca054
0x00aca02e
0x00aca00e
0x00ac9fc5
0x00ac9dea
0x00ac9dc7
0x00ac9d8a
0x00ac9d77
0x00ac9d61
0x00ac9d01
0x00ac9d01
0x00ac9d01
0x00ac9eae
0x00ac9eae
0x00ac9eb3
0x00ac9eb6
0x00ac9ebc
0x00ac9ebf
0x00ac9ebf
0x00ac9ec6
0x00ac9ecb
0x00ac9ece
0x00ac9ed4
0x00ac9ed4
0x00ac9edb
0x00ac9ee1
0x00ac9ee6
0x00ac9eed
0x00ac9ef5
0x00ac9f02
0x00ac9f1a
0x00ac9f1c
0x00ac9f1e
0x00ac9f26
0x00ac9f26
0x00ac9f2e
0x00ac9f37
0x00ac9f3d
0x00ac9f3f
0x00ac9f44
0x00ac9f49
0x00ac9f49
0x00ac9f55
0x00ac9f58
0x00ac9f5a
0x00ac9f60
0x00ac9f63
0x00ac9f63
0x00ac9f55
0x00ac9f68
0x00ac9f70
0x00ac9f72
0x00ac9f82
0x00ac9f87
0x00ac9f8d
0x00ac9f94
0x00ac9f97
0x00ac9f9d
0x00ac9f94
0x00ac9f70
0x00ac9f1e
0x00ac9ef5
0x00ac9ee6
0x00ac9fb2
0x00ac9fb2

APIs

_itow_s.MSVCRT ref: 00AC9BBB
??_V@YAXPAX@Z.MSVCRT ref: 00AC9C66
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00002014), ref: 00AC9C77
RegOpenKeyExW.ADVAPI32(80000002,?,FFFB0000,00020019,00000000,?,?,?,?,?,00002014), ref: 00AC9CC6

Part of subcall function 00AC96A0: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\PowerShell,00000000,00020019,00000000,00002014,00000001,00000000,?,?,?,?,?,00AC9B7D,00000000,?), ref: 00AC96E9

wcschr.MSVCRT ref: 00AC9D6A
wcstoul.MSVCRT ref: 00AC9DDB
wcschr.MSVCRT ref: 00AC9E06
wcstoul.MSVCRT ref: 00AC9E5C
??_V@YAXPAX@Z.MSVCRT ref: 00AC9EB6
??_V@YAXPAX@Z.MSVCRT ref: 00AC9ECE
RegCloseKey.KERNELBASE(00000000,00000000,PowerShellVersion,00000000,?,00002014,00002014,00000000,FFFFFFFF), ref: 00AC9EED
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,?,00000000,00000000), ref: 00AC9F14
??_V@YAXPAX@Z.MSVCRT ref: 00AC9F5A
LocalFree.KERNEL32(00000000), ref: 00AC9F68
??_V@YAXPAX@Z.MSVCRT ref: 00AC9F97

Part of subcall function 00ACA0E0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00002014,00002014,00000001), ref: 00ACA131
Part of subcall function 00ACA0E0: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,FFFFFFFF,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00002014,00002014,00000001), ref: 00ACA158
Part of subcall function 00ACA0E0: ??_V@YAXPAX@Z.MSVCRT ref: 00ACA19F
Part of subcall function 00ACA0E0: LocalFree.KERNEL32(00000000), ref: 00ACA1AD
Part of subcall function 00ACA0E0: ??_V@YAXPAX@Z.MSVCRT ref: 00ACA1E1

wcschr.MSVCRT ref: 00AC9FB8
wcstoul.MSVCRT ref: 00ACA022

Strings

ConsoleHostAssemblyName, xrefs: 00ACA0A6
SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine, xrefs: 00AC9C9D
SOFTWARE\Microsoft\PowerShell\%1!ls!, xrefs: 00AC9BF4
PowerShellVersion, xrefs: 00AC9D41, 00AC9E8A
RuntimeVersion, xrefs: 00ACA08D

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: wcschrwcstoul$CloseFormatFreeLocalMessageOpen$QueryValue_itow_s
String ID: ConsoleHostAssemblyName$PowerShellVersion$RuntimeVersion$SOFTWARE\Microsoft\PowerShell\%1!ls!$SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine
API String ID: 4119138042-3959523633
Opcode ID: 102141b214f76a085448942621d8095e0ae21e5d4a25439d8d219811b37d1391
Instruction ID: 141b8d419bf7d838948f495ec75a312e358b4ca7627746d2c14da1ae24bfe931
Opcode Fuzzy Hash: 102141b214f76a085448942621d8095e0ae21e5d4a25439d8d219811b37d1391
Instruction Fuzzy Hash: F1F1C171A01218ABDF20DFA8DD49FAFB7B5AF58704F16411DF916A7280EB319C01C796

Uniqueness

Uniqueness Score: -1.00%

Function 00ACADA3 Relevance: 10.6, APIs: 7, Instructions: 105
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E00ACADA3() {
				int _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t20;
				void* _t21;
				intOrPtr* _t24;
				intOrPtr* _t27;
				void* _t33;
				intOrPtr _t34;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr* _t41;
				void* _t43;
				void* _t51;
				void* _t52;

				_push(0xc);
				_push(0xacfcf0);
				E00ACB7C8(_t21, _t33, _t36);
				 *((intOrPtr*)(_t43 - 4)) = 0;
				_t37 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t34 = 0;
				while(1) {
					_t24 = _t37;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t37) {
						Sleep(0x3e8);
						continue;
					} else {
						_t39 = 1;
						_t34 = 1;
					}
					L6:
					_t51 =  *0xad16e4 - _t39; // 0x2
					if(_t51 != 0) {
						__eflags =  *0xad16e4; // 0x2
						if(__eflags != 0) {
							 *0xad1388 = _t39;
							goto L12;
						} else {
							 *0xad16e4 = _t39;
							_t20 = E00ACAF1C(0xac33d0, 0xac33dc); // executed
							_pop(_t24);
							__eflags = _t20;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t43 - 4)) = 0xfffffffe;
								_t12 = 0xff;
								goto L24;
							}
						}
					} else {
						L00ACB5AE();
						_t24 = 0x1f;
						L12:
						_t52 =  *0xad16e4 - _t39; // 0x2
						if(_t52 == 0) {
							_push(0xac33cc);
							L00ACB7C0(); // executed
							_t24 = 0xac33b0;
							 *0xad16e4 = 2;
						}
						if(_t34 == 0) {
							_t24 = 0xad16e0;
							 *0xad16e0 = 0;
						}
						_t55 =  *0xad16f0;
						if( *0xad16f0 != 0) {
							_t15 = E00ACB620(_t55, 0xad16f0);
							_pop(_t24);
							if(_t15 != 0) {
								_t41 =  *0xad16f0; // 0x0
								_t24 = _t41;
								 *0xad2204(0, 2, 0);
								 *_t41();
							}
						}
						_push( *0xad1394);
						_t12 = E00AC90E0(_t24,  *0xad138c,  *0xad1390); // executed
						 *0xad1384 = _t12;
						if( *0xad139c != 0) {
							__eflags =  *0xad1388;
							if( *0xad1388 == 0) {
								__imp___cexit();
								_t12 =  *0xad1384; // 0x0
							}
							 *((intOrPtr*)(_t43 - 4)) = 0xfffffffe;
							L24:
							 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0x10));
							return _t12;
						} else {
							exit(_t12);
							_t27 =  *((intOrPtr*)(_t43 - 0x14));
							_t14 =  *((intOrPtr*)( *_t27));
							 *((intOrPtr*)(_t43 - 0x1c)) = _t14;
							_push(_t27);
							_push(_t14);
							L00ACB4FE();
							return _t14;
						}
					}
				}
				_t39 = 1;
				__eflags = 1;
				goto L6;
			}

0x00acada3
0x00acada5
0x00acadaa
0x00acadb1
0x00acadba
0x00acadbd
0x00acadbf
0x00acadc4
0x00acadc8
0x00acadce
0x00000000
0x00000000
0x00acadd2
0x00acade0
0x00000000
0x00acadd4
0x00acadd6
0x00acadd7
0x00acadd7
0x00acadeb
0x00acadeb
0x00acadf1
0x00acadfd
0x00acae03
0x00acae31
0x00000000
0x00acae05
0x00acae05
0x00acae15
0x00acae1b
0x00acae1c
0x00acae1e
0x00000000
0x00acae20
0x00acae20
0x00acae27
0x00000000
0x00acae27
0x00acae1e
0x00acadf3
0x00acadf5
0x00acadfa
0x00acae37
0x00acae37
0x00acae3d
0x00acae3f
0x00acae49
0x00acae4f
0x00acae50
0x00acae50
0x00acae5c
0x00acae60
0x00acae65
0x00acae65
0x00acae67
0x00acae6e
0x00acae75
0x00acae7a
0x00acae7d
0x00acae83
0x00acae89
0x00acae8b
0x00acae91
0x00acae91
0x00acae7d
0x00acae93
0x00acaea5
0x00acaead
0x00acaeb9
0x00acaef1
0x00acaef8
0x00acaefa
0x00acaf00
0x00acaf00
0x00acaf05
0x00acaf0c
0x00acaf0f
0x00acaf1b
0x00acaebb
0x00acaebc
0x00acaec2
0x00acaec7
0x00acaec9
0x00acaecc
0x00acaecd
0x00acaece
0x00acaed5
0x00acaed5
0x00acaeb9
0x00acadf1
0x00acadea
0x00acadea
0x00000000

APIs

Sleep.KERNEL32(000003E8,00ACFCF0,0000000C), ref: 00ACADE0
_amsg_exit.MSVCRT ref: 00ACADF5
_initterm.MSVCRT ref: 00ACAE49
__IsNonwritableInCurrentImage.LIBCMT ref: 00ACAE75
exit.MSVCRT ref: 00ACAEBC
_XcptFilter.MSVCRT ref: 00ACAECE

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: 997b5b7d4c7beaac501776b1ef31d89037b7120fccd7fb2353f83905651d6b3a
Instruction ID: df5bc3b61b38a6d1fcd42c495016842687faf820956e86fe08f2df75c61d4aa6
Opcode Fuzzy Hash: 997b5b7d4c7beaac501776b1ef31d89037b7120fccd7fb2353f83905651d6b3a
Instruction Fuzzy Hash: ED31C035602319AFDB11DFE4ED06FB937A0E754725F16412FE5039B6A1DB308842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ACE3BE Relevance: 9.1, APIs: 6, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00ACE3BE(int __ecx, void** __edx) {
				int _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _t5;
				signed short _t6;
				int _t10;
				void** _t13;
				void* _t20;
				signed short _t23;

				_push(__ecx);
				_push(__ecx);
				_t23 = 0;
				_v8 = __ecx;
				_t13 = __edx;
				_t5 = GetModuleHandleW(0);
				_v12 = _t5;
				if(_t5 == 0) {
					_t6 = GetLastError();
					if(_t6 > 0) {
						_t6 = _t6 & 0x0000ffff | 0x80070000;
					}
					L10:
					return _t6;
				}
				_t20 = malloc(0xca);
				if(_t20 == 0) {
					L5:
					_t23 = GetLastError();
					if(_t23 > 0) {
						_t23 = _t23 & 0x0000ffff | 0x80070000;
					}
					L7:
					_t6 = _t23;
					goto L10;
				}
				_t10 = LoadStringW(_v12, _v8, _t20, 0x64); // executed
				if(_t10 - 1 > 0x62) {
					free(_t20);
					goto L5;
				} else {
					 *_t13 = _t20;
					goto L7;
				}
			}

0x00ace3c3
0x00ace3c4
0x00ace3c7
0x00ace3c9
0x00ace3cd
0x00ace3cf
0x00ace3d5
0x00ace3da
0x00ace42a
0x00ace432
0x00ace437
0x00ace437
0x00ace43c
0x00ace43f
0x00ace43f
0x00ace3e8
0x00ace3ed
0x00ace410
0x00ace416
0x00ace41a
0x00ace41f
0x00ace41f
0x00ace425
0x00ace425
0x00000000
0x00ace427
0x00ace3f8
0x00ace402
0x00ace409
0x00000000
0x00ace404
0x00ace404
0x00000000
0x00ace404

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000076,00000076,?,00ACD522), ref: 00ACE3CF
malloc.MSVCRT ref: 00ACE3E2
LoadStringW.USER32(?,?,00000000,00000064), ref: 00ACE3F8
free.MSVCRT(00000000), ref: 00ACE409
GetLastError.KERNEL32(00ACD522), ref: 00ACE410
GetLastError.KERNEL32(?,00ACD522), ref: 00ACE42A

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: ErrorLast$HandleLoadModuleStringfreemalloc
String ID:
API String ID: 2048582471-0
Opcode ID: f7b50bda0351afaf9cc86c066aaaa7ceffd7bfbbeec957464cfc7201cf360af8
Instruction ID: 17fcd6b5e08dd601df6d31d115b8bc18dcdd4b2de8cb26c89ee3e1b358358ff9
Opcode Fuzzy Hash: f7b50bda0351afaf9cc86c066aaaa7ceffd7bfbbeec957464cfc7201cf360af8
Instruction Fuzzy Hash: 60012B36541225ABD725DBE89D0CF2A7BB8FF85751B22812EF502E7250DA76CC01D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD7FE Relevance: 6.1, APIs: 4, Instructions: 58
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00ACD7FE(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t29;
				void* _t51;

				E00ACB3EF(E00ACC9BA, __ebx, __edi, __esi);
				__imp__CoInitialize(0, 0xc); // executed
				 *((intOrPtr*)(_t51 - 0x10)) = 0;
				_t21 = _t51 - 0x10;
				 *((intOrPtr*)(_t51 - 4)) = 0;
				 *((intOrPtr*)(_t51 - 0x18)) = 0;
				__imp__CoCreateInstance(0xac3db8, 0, 1, 0xac4688, _t21); // executed
				if(_t21 < 0) {
					L7:
					__imp__CoUninitialize(); // executed
					L8:
					return E00ACB3CC(E00ACAA7D(_t51 - 0x10));
				}
				 *((intOrPtr*)(_t51 - 0x14)) = 0;
				 *((char*)(_t51 - 4)) = 1;
				_t24 =  *((intOrPtr*)(_t51 - 0x10));
				_t49 =  *_t24;
				 *0xad2204(_t24, _t51 - 0x18, 0xac46a8, _t51 - 0x14); // executed
				if( *((intOrPtr*)( *_t24 + 0x10))() < 0) {
					L6:
					E00ACAA7D(_t51 - 0x14); // executed
					goto L7;
				}
				if( *((intOrPtr*)(_t51 - 0x18)) >= 4) {
					_t28 = E00ACD283(__ebx,  *((intOrPtr*)(_t51 - 0x10)), __ecx, __ecx, _t49, __eflags); // executed
					__eflags = _t28;
					if(_t28 >= 0) {
						_t29 =  *((intOrPtr*)(_t51 - 0x10));
						 *0xad2204(_t29);
						 *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x20))))();
					}
					goto L6;
				}
				E00ACAA7D(_t51 - 0x14);
				goto L8;
			}

0x00acd805
0x00acd80f
0x00acd815
0x00acd818
0x00acd81b
0x00acd82c
0x00acd82f
0x00acd837
0x00acd89c
0x00acd89c
0x00acd8a2
0x00acd8af
0x00acd8af
0x00acd839
0x00acd83c
0x00acd843
0x00acd84f
0x00acd856
0x00acd861
0x00acd894
0x00acd897
0x00000000
0x00acd897
0x00acd867
0x00acd878
0x00acd87d
0x00acd87f
0x00acd881
0x00acd88c
0x00acd892
0x00acd892
0x00000000
0x00acd87f
0x00acd86c
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00ACD805
CoInitialize.OLE32(00000000), ref: 00ACD80F
CoCreateInstance.OLE32(00AC3DB8,00000000,00000001,00AC4688,?), ref: 00ACD82F
CoUninitialize.OLE32 ref: 00ACD89C

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CreateH_prolog3InitializeInstanceUninitialize
String ID:
API String ID: 1221532749-0
Opcode ID: 024d1da989cd0353be04f6c297ba8216a517290f8411cdb462639ffaa310322c
Instruction ID: ce33626d8686b066b0d534d4f6d6ca2ed4db5947d428f49437302c714b40e8e2
Opcode Fuzzy Hash: 024d1da989cd0353be04f6c297ba8216a517290f8411cdb462639ffaa310322c
Instruction Fuzzy Hash: E4112C70A0022A9BDB04DFA4CE56FBE7B74BF54700B02041DF543A7250DB706A01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAD70 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00ACAD94

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: c9023a5867d3ffd165e7093659ea017f13178d3de763ac0473e455a1d9a446f8
Instruction ID: 48e9e594fd17c345ad03ab15ab03dc7f7fe03dd729d9d75e23343b8c23f759d9
Opcode Fuzzy Hash: c9023a5867d3ffd165e7093659ea017f13178d3de763ac0473e455a1d9a446f8
Instruction Fuzzy Hash: 16D0CAB8A82300BFC780CFD8BC029A13B70F300B857460857F60B9ABA2E3B09512DB05

Uniqueness

Uniqueness Score: -1.00%

Function 07C37E56 Relevance: .4, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ed608aae2b5e83a99868744d2d274d36122e7c40842924280ca27eea7e23dd
Instruction ID: e369883128703647710b5586c0cc634562c89ea90838262cbe8d4ca0c061401e
Opcode Fuzzy Hash: 58ed608aae2b5e83a99868744d2d274d36122e7c40842924280ca27eea7e23dd
Instruction Fuzzy Hash: D9F16D74A00216CFDB24DF64C994B9DB7F2FF89304F1085A9D509AB760DB71AE85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07C38580 Relevance: .2, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab107d5ba57d4250f9cc05a9623a610ffd51cc2f4ec032c5402bec238d46be59
Instruction ID: 83d69cbcacf1f7931fa5914e4d15811ab1e791d1b57f28d8ea889b2159f83a30
Opcode Fuzzy Hash: ab107d5ba57d4250f9cc05a9623a610ffd51cc2f4ec032c5402bec238d46be59
Instruction Fuzzy Hash: 3091FA39B101149FCB48DBB8D4589ADB7F6FBCC211B154469E90AEB364DF35EC018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07C37ACE Relevance: .2, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4797bcbcd151c05e6fb8f3aef9611170105e8d4afeed442320bd75cba6187ec9
Instruction ID: cf72f6114656685058895c95102f528e911a5d4278cef4af0138040264fe0fc4
Opcode Fuzzy Hash: 4797bcbcd151c05e6fb8f3aef9611170105e8d4afeed442320bd75cba6187ec9
Instruction Fuzzy Hash: D1914974A00219DFEB14DB65D898BADBBF2FF88300F1485A9D509AB3A0DB309E45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07C36188 Relevance: .2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d914f59980ddaafe1a1de8b74996fa5e91b5443304a84f433206e4ce6c7fbc
Instruction ID: 1762cf07a600d571b5d09145eb68f08a7acbba7697ab9a751e539417be685652
Opcode Fuzzy Hash: 19d914f59980ddaafe1a1de8b74996fa5e91b5443304a84f433206e4ce6c7fbc
Instruction Fuzzy Hash: D48129B0E00209EFEB14DFA5D594AAEBBF2BF88314F248069D401BB350DB749D46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 07C36BD0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd43c5fefe2a1ffc4098ac2e15561242c6d430b123d7d9c515a2feb8845db0c
Instruction ID: f2a08874340befd632e3bcd92f6221cfe68dda2af5e56c44896a3af8c317d37c
Opcode Fuzzy Hash: 2cd43c5fefe2a1ffc4098ac2e15561242c6d430b123d7d9c515a2feb8845db0c
Instruction Fuzzy Hash: C5419C74A00209DBDB04DBE4E498AAEB7B6FF84308F208438D505BBB91DF34A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07C37421 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9df88fcc3931582ad70801cd0aa8e8288c9ffc8924b516051d6ea8ab85b4bc2
Instruction ID: 7894645b987a7b16bdc5411f41895444ff90d21cce9df73a0ca9c59f07ad63f7
Opcode Fuzzy Hash: b9df88fcc3931582ad70801cd0aa8e8288c9ffc8924b516051d6ea8ab85b4bc2
Instruction Fuzzy Hash: 933107B57003069FD700DBA8E4A45AE7BE5EF81218B148CBBD509CF661EF32DE458791

Uniqueness

Uniqueness Score: -1.00%

Function 07C36B78 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493b4f29e4cb9430f5ae01e7246b416fb95d67be068fed47cfbcd44c0f3e47ca
Instruction ID: 051931ca032eec8655459b4b4f948460e8d53e2dc0aafb12e5a6ded56882d05b
Opcode Fuzzy Hash: 493b4f29e4cb9430f5ae01e7246b416fb95d67be068fed47cfbcd44c0f3e47ca
Instruction Fuzzy Hash: 323107749093559FD70297B4E8786EE3B76EF42208F0508A6C145AFB92DF3459488B52

Uniqueness

Uniqueness Score: -1.00%

Function 07C36068 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff52ad8cfb8840a6e452fe73fa226aa9713c6141448ce6a87f973cfaf51fa72e
Instruction ID: 076190109a0453377c6ea68235f6140304b16d96efdac1231de0344ce386ea79
Opcode Fuzzy Hash: ff52ad8cfb8840a6e452fe73fa226aa9713c6141448ce6a87f973cfaf51fa72e
Instruction Fuzzy Hash: 75319179B001059FD710DBA9E994AAE73FBEF88250F144535EA05DB354EF30DD058B61

Uniqueness

Uniqueness Score: -1.00%

Function 0351DA20 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.706836365.000000000351D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0351D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_351d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cc6d05696258b92f6ce1c8a433b6de5160e43f30719a7bc35753c4f40f3284
Instruction ID: da49876a17dc8eac8a9e14352cf83296f343de0ba37590e7323fca9f4fdedf2d
Opcode Fuzzy Hash: 25cc6d05696258b92f6ce1c8a433b6de5160e43f30719a7bc35753c4f40f3284
Instruction Fuzzy Hash: B321D875508240DFEB05DF58E5C0F36BBB5FB84324F2889A9DD050B266C336D465C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07C379D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb9272158f3b8b6bc30e4b28a358a5564afb984c5cf6aed919f7e3e3594014f
Instruction ID: e4e49e6e7778694eea3bb279167593eb6199af6f93795a80b4e46d20a6ec774f
Opcode Fuzzy Hash: 3bb9272158f3b8b6bc30e4b28a358a5564afb984c5cf6aed919f7e3e3594014f
Instruction Fuzzy Hash: 8E212BB0A01216CFEB64DF15C8D8FA9BBB1EF44315F0481A8D919AB390DB749E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07C37D61 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d311245c85de5a158c8254ef26eef284804243d200dd83dfe52ece30aacbd021
Instruction ID: c5b13a9145632f9ccd0b1f127bb913d12f52d6e7df0678cf3c9005aae133b01d
Opcode Fuzzy Hash: d311245c85de5a158c8254ef26eef284804243d200dd83dfe52ece30aacbd021
Instruction Fuzzy Hash: 53211074701126CFEB54DB25D998F6977F2EF88204F1481A5D50AEB760DB709D81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0351DA1B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.706836365.000000000351D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0351D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_351d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84985b5ff84b1100dee9ff94ec58c39973d7646651581f0d3eab3b48d67a6061
Instruction ID: e3cb2d9ccb3680ea6c89e5311926878b3796f039db68e0ec76a34df281d0cbc2
Opcode Fuzzy Hash: 84985b5ff84b1100dee9ff94ec58c39973d7646651581f0d3eab3b48d67a6061
Instruction Fuzzy Hash: 60118176508280DFDB15CF14D5C4B26BFB1FB84324F28C6A9DC054B666C33AD46ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07C363C4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4e348ad910d18b20c6dbf1cae86e40965dfb5e1612ad39545530ca5774bba9
Instruction ID: 17a8429343e069a9977411306a7ab6cd9559773e690d855b470ecb494cbc45d2
Opcode Fuzzy Hash: 4b4e348ad910d18b20c6dbf1cae86e40965dfb5e1612ad39545530ca5774bba9
Instruction Fuzzy Hash: 642106B0E0010AEBDB15DF99D598AADBBB2BF48314F248425D401BB240CB74AE82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07C38572 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b74b7fc43ac8b4e974cab31ad46f18f2011ed7e65449caa796068172cec446
Instruction ID: 8e906ea2a3d89e353055a20cb7c6ef850f66df79791fa96463bc0461afbd7eaf
Opcode Fuzzy Hash: d5b74b7fc43ac8b4e974cab31ad46f18f2011ed7e65449caa796068172cec446
Instruction Fuzzy Hash: 29115175A002198FCB04DF78D5559EEBBF2EF89210F10406AE509EB740DB359A01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0351D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.706836365.000000000351D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0351D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_351d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32cef25be167f5ccd2d680c0866c0509ef8e35b5addd37f5ef388df41f7baec
Instruction ID: 6f8dd8cea07021ab20dcedea9e783bb32e4c22ef7876bceabd2a46ab401ee608
Opcode Fuzzy Hash: f32cef25be167f5ccd2d680c0866c0509ef8e35b5addd37f5ef388df41f7baec
Instruction Fuzzy Hash: 87018471504340AAF7108A66E884BB6FBECFB41664F08885AED451A252E7799885C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0351D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.706836365.000000000351D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0351D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_351d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e8552a6fe28f49170ac5b568ad07de689b5761020e4e89ce689a1f5c91c20e
Instruction ID: bdae8a7141bc5ada97f746a9e70d243ecb2e8e9f78f51e4c90a86bd1fdb49d26
Opcode Fuzzy Hash: a0e8552a6fe28f49170ac5b568ad07de689b5761020e4e89ce689a1f5c91c20e
Instruction Fuzzy Hash: 1901446140D3C05FE7128B259C94B62BFB8EF53224F0D81CBD9849F2A3D2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 07C3F610 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a484f556973462106e3b0612bd26082ab032ab417d0540ef5daa2ad83ded30
Instruction ID: 80735447eb24d7303f5017443f9ed3b7427c17f007f0ee217b460a782dbac234
Opcode Fuzzy Hash: c9a484f556973462106e3b0612bd26082ab032ab417d0540ef5daa2ad83ded30
Instruction Fuzzy Hash: B6019AB16003019BD744CF68D88198977E0EB8130CB208EACD088CF225D77AE9878B92

Uniqueness

Uniqueness Score: -1.00%

Function 07C3F670 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2dd1e11a3743c346c5aafd43012327a36e2506390b75ff41096b66942b1b7c
Instruction ID: 3724a75a0527aebc12bac9835b51af445d07308e93e330e3b3e0e899afabf845
Opcode Fuzzy Hash: cb2dd1e11a3743c346c5aafd43012327a36e2506390b75ff41096b66942b1b7c
Instruction Fuzzy Hash: C7014C712083018FC740DF28E49158977E5FF85218B248D6DD5C88F226D776E98BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 07C373AA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafffdcaa2f13e158b16f8b121eba128c57329077ff5399c9bcba5e412849357
Instruction ID: 2281d0933408e720d22c1b1ef20849312751ee9371d1ea535ac692e5b46c6f75
Opcode Fuzzy Hash: fafffdcaa2f13e158b16f8b121eba128c57329077ff5399c9bcba5e412849357
Instruction Fuzzy Hash: 3CF0F6B57002148BC7449675D89596EBBAAEFC4605718C83EE909CB391DF36DC03CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07C38222 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16209c80d2fce68630ae0eaa806fa23ff0313e7fb7c8f05befa847c4d273752d
Instruction ID: 8a6d33ad949c9161bf899b8208329df89c4c9ad3dc81e6c4f60a1d074a497bd6
Opcode Fuzzy Hash: 16209c80d2fce68630ae0eaa806fa23ff0313e7fb7c8f05befa847c4d273752d
Instruction Fuzzy Hash: 5A018B70A04209DFCB25DB70C558AEDB7F1AF06308F244969D402ABBA5DB359E4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 07C373F0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6520ff6b93d8436e0c639bebfd0b87604f973f2871db211eae29abbdbcccc2c1
Instruction ID: a89eb86ad35c1d8ec5ac8fbbfbe63c973b92eac29e66f117d06b2b5c2cb5b5bd
Opcode Fuzzy Hash: 6520ff6b93d8436e0c639bebfd0b87604f973f2871db211eae29abbdbcccc2c1
Instruction Fuzzy Hash: C2D012767154245B4614959EF54186AF79DDBC5A35318807BE90DC7300DE62EC0397D1

Uniqueness

Uniqueness Score: -1.00%

Function 07C36029 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519db5dff1d783960012f55868ad01068c48087e43582022afcdca8c9876d51b
Instruction ID: e3a3b21d11ab63c56c9b09bd16cea34c3e5fb4de00925287a9e5d8c5484eb328
Opcode Fuzzy Hash: 519db5dff1d783960012f55868ad01068c48087e43582022afcdca8c9876d51b
Instruction Fuzzy Hash: D3E0CD739001097FCB048755D9057DD7FF5DF44160F144076E549E2240EF3296014745

Uniqueness

Uniqueness Score: -1.00%

Function 07C36038 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.721463272.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce3b682697a98398681e5f5fa2c59132f913e02ed016bd40d2dfe9e211c9b41
Instruction ID: 152a8e130969c0ecd28ad2bff847168dbaa33f550e37e349e220469ef6c118df
Opcode Fuzzy Hash: 5ce3b682697a98398681e5f5fa2c59132f913e02ed016bd40d2dfe9e211c9b41
Instruction Fuzzy Hash: E7D0A571A04119BF8B159B95D5054DE7FFADB84170B104077F509D3240EF3156059744

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00ACA3B0 Relevance: 13.7, APIs: 9, Instructions: 191
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00ACA3B0(intOrPtr _a4, void* _a8, void** _a12, short* _a16, intOrPtr _a20, char _a24) {
				char _v5;
				short _v12;
				short _v16;
				char* _v20;
				void* _t45;
				short _t47;
				signed int _t53;
				signed int _t57;
				signed int _t59;
				long _t60;
				intOrPtr* _t68;
				void** _t72;
				void* _t74;
				signed int _t81;
				signed int _t82;
				signed int _t94;
				signed int _t99;
				void* _t103;
				short* _t104;
				short _t105;
				long _t106;
				long _t119;

				_v16 = 0;
				_v20 =  &_a24;
				_t45 = _a8;
				_v5 = 1;
				if(_t45 == 0) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t72 = _a12;
					if(_t72 == 0) {
						goto L34;
					} else {
						_t104 = _a16;
						if(_t104 == 0) {
							goto L34;
						} else {
							_t47 = FormatMessageW(0x500, _t45, 0, 0,  &_v16, 0,  &_v20);
							_v12 = _t47;
							if(_t47 != 0) {
								_t27 = _t47 + 1; // 0x1
								_t99 = _t27;
								_push( ~(0 | __eflags > 0x00000000) | _t99 * 0x00000002);
								_t94 = E00ACACEC();
								 *_t72 = _t94;
								__eflags = _t94;
								if(_t94 == 0) {
									L33:
									_v5 = 0;
									LocalFree(_v16);
									return _v5;
								} else {
									_t81 = 0;
									__eflags = _t99;
									if(_t99 == 0) {
										L15:
										_t81 = 0x80070057;
									} else {
										__eflags = _t99 - 0x7fffffff;
										if(_t99 > 0x7fffffff) {
											goto L15;
										}
									}
									__eflags = _t81;
									if(_t81 < 0) {
										__eflags = _t99;
										if(_t99 != 0) {
											_t57 = 0;
											__eflags = 0;
											goto L28;
										}
									} else {
										_t105 = _v16;
										_t82 = _t99;
										__eflags = _t99;
										if(_t99 == 0) {
											L24:
											_t94 = _t94 - 2;
											__eflags = _t94;
										} else {
											_t74 = 0x7ffffffe - _t99;
											__eflags = 0x7ffffffe;
											while(1) {
												__eflags = _t74 + _t82;
												if(_t74 + _t82 == 0) {
													break;
												}
												_t59 =  *_t105 & 0x0000ffff;
												__eflags = _t59;
												if(_t59 == 0) {
													break;
												} else {
													 *_t94 = _t59;
													_t105 = _t105 + 2;
													_t94 = _t94 + 2;
													_t82 = _t82 - 1;
													__eflags = _t82;
													if(_t82 != 0) {
														continue;
													} else {
														goto L24;
													}
												}
												goto L25;
											}
											__eflags = _t82;
											if(_t82 == 0) {
												goto L24;
											}
										}
										L25:
										_t72 = _a12;
										_t57 = 0;
										_t104 = _a16;
										asm("sbb ecx, ecx");
										_t81 = ( ~_t82 & 0x7ff8ff86) + 0x8007007a;
										L28:
										 *_t94 = _t57;
									}
									__eflags = _t81;
									if(_t81 < 0) {
										_t53 =  *_t72;
										__eflags = _t53;
										if(_t53 != 0) {
											__imp__??_V@YAXPAX@Z(_t53);
											 *_t72 = 0;
										}
										goto L33;
									} else {
										 *_t104 = _v12;
										LocalFree(_v16);
										return _v5;
									}
								}
							} else {
								_t60 = GetLastError();
								_v12 = 0;
								_t106 = FormatMessageW(0x1100, 0, _t60, 0,  &_v12, 0, 0);
								_t119 = _t106;
								if(_t119 != 0) {
									LocalFree(_v12);
									if(_t106 != 0) {
										_t68 =  *((intOrPtr*)(_a4 + 4));
										 *0xad2204(_t68, 0, _a20, _t103);
										 *((intOrPtr*)( *((intOrPtr*)( *_t68 + 4))))();
										if(_t103 != 0) {
											__imp__??_V@YAXPAX@Z(_t103);
										}
									}
								}
								return 0;
							}
						}
					}
				}
			}

0x00aca3bb
0x00aca3c2
0x00aca3c5
0x00aca3c8
0x00aca3d0
0x00aca5a5
0x00aca5a5
0x00aca5ab
0x00aca3d6
0x00aca3d6
0x00aca3db
0x00000000
0x00aca3e1
0x00aca3e1
0x00aca3e6
0x00000000
0x00aca3ec
0x00aca401
0x00aca407
0x00aca40c
0x00aca4c1
0x00aca4c1
0x00aca4d6
0x00aca4dc
0x00aca4e1
0x00aca4e3
0x00aca4e5
0x00aca58d
0x00aca590
0x00aca594
0x00aca5a3
0x00aca4eb
0x00aca4eb
0x00aca4ed
0x00aca4ef
0x00aca4f9
0x00aca4f9
0x00aca4f1
0x00aca4f1
0x00aca4f7
0x00000000
0x00000000
0x00aca4f7
0x00aca4fe
0x00aca500
0x00aca552
0x00aca554
0x00aca556
0x00aca556
0x00000000
0x00aca556
0x00aca502
0x00aca502
0x00aca505
0x00aca507
0x00aca509
0x00aca535
0x00aca535
0x00aca535
0x00aca50b
0x00aca510
0x00aca510
0x00aca512
0x00aca515
0x00aca517
0x00000000
0x00000000
0x00aca519
0x00aca51c
0x00aca51f
0x00000000
0x00aca521
0x00aca521
0x00aca524
0x00aca527
0x00aca52a
0x00aca52a
0x00aca52d
0x00000000
0x00aca52f
0x00000000
0x00aca52f
0x00aca52d
0x00000000
0x00aca51f
0x00aca531
0x00aca533
0x00000000
0x00000000
0x00aca533
0x00aca538
0x00aca538
0x00aca53b
0x00aca53d
0x00aca542
0x00aca54a
0x00aca558
0x00aca558
0x00aca558
0x00aca55b
0x00aca55d
0x00aca577
0x00aca579
0x00aca57b
0x00aca57e
0x00aca587
0x00aca587
0x00000000
0x00aca55f
0x00aca565
0x00aca567
0x00aca576
0x00aca576
0x00aca55d
0x00aca412
0x00aca412
0x00aca41f
0x00aca437
0x00aca439
0x00aca43b
0x00aca481
0x00aca489
0x00aca492
0x00aca49f
0x00aca4a5
0x00aca4ac
0x00aca4af
0x00aca4b5
0x00aca4ac
0x00aca489
0x00aca4c0
0x00aca4c0
0x00aca40c
0x00aca3e6
0x00aca3db

APIs

FormatMessageW.KERNEL32(00000500,00000000,00000000,00000000,00000000,00000000,?,00002014,00000001,FFFB0000,?), ref: 00ACA401
GetLastError.KERNEL32 ref: 00ACA412
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00ACA431
??_V@YAXPAX@Z.MSVCRT ref: 00ACA473
LocalFree.KERNEL32(00000000), ref: 00ACA481
??_V@YAXPAX@Z.MSVCRT ref: 00ACA4AF
LocalFree.KERNEL32(00000000), ref: 00ACA567
??_V@YAXPAX@Z.MSVCRT ref: 00ACA57E
LocalFree.KERNEL32(00000000), ref: 00ACA594

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: FreeLocal$FormatMessage$ErrorLast
String ID:
API String ID: 1635386727-0
Opcode ID: 8de112e61dda79ebe9891ce747150fcfda5074cd4098517f4455dd47e5776f81
Instruction ID: 05695e7e32305bdf2bc8b43682301e11edc92b5228d9617e31e7bc70c073a934
Opcode Fuzzy Hash: 8de112e61dda79ebe9891ce747150fcfda5074cd4098517f4455dd47e5776f81
Instruction Fuzzy Hash: EE511376A012099BDF248FA8DC09FBEB7B5AF94304F05825DEC1A97284EA35DD01C752

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD76F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00ACD76F() {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t12;
				void* _t14;
				void* _t19;
				void* _t20;
				void* _t21;
				signed int _t22;

				_t4 =  *0xad1368; // 0x96213ca
				_v8 = _t4 ^ _t22;
				_t20 = 0;
				_t21 = malloc(0x20a);
				if(_t21 != 0) {
					if(ExpandEnvironmentStringsW(L"%systemroot%\\system32\\windowspowershell\\v1.0\\powershell_ise.exe", _t21, 0x104) - 1 <= 0x103) {
						_t12 = FindFirstFileW(_t21,  &_v604);
						if(_t12 != 0xffffffff) {
							_t20 = 1;
							FindClose(_t12);
						}
					}
					free(_t21);
				}
				return E00ACAFD0(_t20, _t14, _v8 ^ _t22, _t19, _t20, _t21);
			}

0x00acd77a
0x00acd781
0x00acd78b
0x00acd793
0x00acd798
0x00acd7b1
0x00acd7bb
0x00acd7c4
0x00acd7c7
0x00acd7c8
0x00acd7c8
0x00acd7c4
0x00acd7cf
0x00acd7d5
0x00acd7e5

APIs

malloc.MSVCRT ref: 00ACD78D
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe,00000000,00000104), ref: 00ACD7A5
FindFirstFileW.KERNEL32(00000000,?), ref: 00ACD7BB
FindClose.KERNEL32(00000000), ref: 00ACD7C8
free.MSVCRT(00000000), ref: 00ACD7CF

Strings

%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe, xrefs: 00ACD7A0

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: Find$CloseEnvironmentExpandFileFirstStringsfreemalloc
String ID: %systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe
API String ID: 2430906653-803825474
Opcode ID: 5f9414ceed2057073ad232ade5d84160e463761b2db6b3e34a5594b399867da1
Instruction ID: 1e34dec0d54eb660619bfa692d84b9de0a4ced303ea50f42f4eba0221d46aca6
Opcode Fuzzy Hash: 5f9414ceed2057073ad232ade5d84160e463761b2db6b3e34a5594b399867da1
Instruction Fuzzy Hash: C0F0F635702518ABE310EBA5AC4CFAE7BA8EB85B65B51022AF517E21D0CF708E43C755

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB715 Relevance: 7.6, APIs: 5, Instructions: 50
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ACB715() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xad1368; // 0x96213ca
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xad1368 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xad1368 = _t39;
				}
				_t37 =  !_t36;
				 *0xad136c = _t37;
				return _t37;
			}

0x00acb71d
0x00acb721
0x00acb725
0x00acb738
0x00acb742
0x00acb74e
0x00acb757
0x00acb760
0x00acb771
0x00acb778
0x00acb784
0x00acb787
0x00acb78b
0x00acb795
0x00acb79a
0x00acb79a
0x00acb79c
0x00acb79c
0x00acb7a2
0x00acb7a5
0x00acb7ac

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00ACB742
GetCurrentProcessId.KERNEL32 ref: 00ACB751
GetCurrentThreadId.KERNEL32 ref: 00ACB75A
GetTickCount.KERNEL32 ref: 00ACB763
QueryPerformanceCounter.KERNEL32(?), ref: 00ACB778

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 48ffefa104192724e46f3fa95b33e0f1cbfdb9fd86388618f415b9e4ebbbbb6d
Instruction ID: 51749e7f4ebc9af8ddb7c8040bc0360ef208970d0977575bea501a40b87bb972
Opcode Fuzzy Hash: 48ffefa104192724e46f3fa95b33e0f1cbfdb9fd86388618f415b9e4ebbbbb6d
Instruction Fuzzy Hash: A011F871D12208EFCB10DBF8D949A9EB7F4BB58310F91485AD812E7210E7309E42CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB17C Relevance: 6.0, APIs: 4, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00ACB17C(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00acb183
0x00acb18c
0x00acb1a5

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00ACB2B2,00AC1508), ref: 00ACB183
UnhandledExceptionFilter.KERNEL32(00ACB2B2,?,00ACB2B2,00AC1508), ref: 00ACB18C
GetCurrentProcess.KERNEL32(C0000409,?,00ACB2B2,00AC1508), ref: 00ACB197
TerminateProcess.KERNEL32(00000000,?,00ACB2B2,00AC1508), ref: 00ACB19E

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 212c0ffe07d1e314f9968aa6ac9ed79185d8741e1ce68ad70261e289f220ab44
Instruction ID: ff10b866a060320526b0c431d1583ea297a75834738ded9890bef61b27fc48d8
Opcode Fuzzy Hash: 212c0ffe07d1e314f9968aa6ac9ed79185d8741e1ce68ad70261e289f220ab44
Instruction Fuzzy Hash: E3D0CA72046208ABCB00ABE1ED0CB493F29FBA8213F044022F32B82060CA318C02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ACEB31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ACEB31(struct HINSTANCE__* __ecx) {
				struct HRSRC__* _t1;
				struct HINSTANCE__* _t4;

				_t4 = __ecx;
				_t1 = FindResourceExW(__ecx, "MUI", 1, 0);
				if(_t1 != 0) {
					return LoadResource(_t4, _t1);
				} else {
					return _t1;
				}
			}

0x00aceb38
0x00aceb40
0x00aceb48
0x00aceb55
0x00aceb4b
0x00aceb4b
0x00aceb4b

APIs

FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,00000000,00ACEBED,00000000,00000000,00ACECA2,00000000,00000000,?,?,00000000,?), ref: 00ACEB40
LoadResource.KERNEL32(00000000,00000000), ref: 00ACEB4E

Strings

MUI, xrefs: 00ACEB3A

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: Resource$FindLoad
String ID: MUI
API String ID: 2619053042-1339004836
Opcode ID: 89d25138dd8f25b29dd3a9472c1d1badd613902370e16cb10479ad5d86f7a4ca
Instruction ID: 5143898018057b3804757f6cfd59555555c63352147acd117a118ab6e48ca487
Opcode Fuzzy Hash: 89d25138dd8f25b29dd3a9472c1d1badd613902370e16cb10479ad5d86f7a4ca
Instruction Fuzzy Hash: 31D0123264212076E62157257C0DFEB2A48EF95B32F074047F80695194DB905C83C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 00ACE80D Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00ACE80D() {
				signed int _v8;
				short _v16;
				struct _OSVERSIONINFOW _v292;
				void* __esi;
				signed int _t16;
				void* _t25;
				intOrPtr _t26;
				void* _t29;
				void* _t30;
				void* _t34;
				void* _t37;
				void* _t38;
				int _t39;
				signed int _t41;

				_t16 =  *0xad1368; // 0x96213ca
				_v8 = _t16 ^ _t41;
				_t39 =  *0xad192c; // 0x0
				if(_t39 == 0) {
					memset( &(_v292.dwMajorVersion), _t39, 0x118);
					_v292.dwOSVersionInfoSize = 0x11c;
					if(GetVersionExW( &_v292) == 0) {
						_v292.dwOSVersionInfoSize = 0x114;
						GetVersionExW( &_v292);
					}
					 *0xad192c = _t39;
					_t25 = _v292.dwPlatformId - 1;
					if(_t25 == 0) {
						L20:
						if(_v292.dwMajorVersion == 4) {
							_t26 = _v292.dwMinorVersion;
							if(_t26 == 0 || _t26 == 0xa || _t26 == 0x5a) {
								_t39 = 1;
								goto L25;
							}
						}
					} else {
						if(_t25 == 1) {
							if(_v292.dwMajorVersion != 5) {
								if(_v292.dwMajorVersion > 4) {
									_push(0x20);
									goto L17;
								} else {
									_t39 = 2;
									 *0xad192c = _t39;
									goto L20;
								}
							} else {
								_t29 = _v292.dwMinorVersion - _t39;
								if(_t29 == 0) {
									_push(4);
									goto L17;
								} else {
									_t30 = _t29 - 1;
									if(_t30 == 0) {
										if(_v16 >= 2) {
											_push(8);
											goto L14;
										}
										goto L15;
									} else {
										if(_t30 == 1) {
											if(_v16 >= 1) {
												_push(0x10);
												L14:
												_pop(_t39);
											}
											L15:
											_t39 = _t39 | 0x00000004;
										} else {
											_push(0x14);
											L17:
											_pop(_t39);
										}
									}
								}
								L25:
								 *0xad192c = _t39;
							}
						}
					}
				}
				return E00ACAFD0(_t39, _t34, _v8 ^ _t41, _t37, _t38, _t39);
			}

0x00ace818
0x00ace81f
0x00ace823
0x00ace82b
0x00ace83e
0x00ace846
0x00ace85f
0x00ace867
0x00ace872
0x00ace872
0x00ace87e
0x00ace884
0x00ace887
0x00ace8e0
0x00ace8e7
0x00ace8e9
0x00ace8f1
0x00ace8ff
0x00000000
0x00ace8ff
0x00ace8f1
0x00ace889
0x00ace88c
0x00ace895
0x00ace8d5
0x00ace915
0x00000000
0x00ace8d7
0x00ace8d9
0x00ace8da
0x00000000
0x00ace8da
0x00ace897
0x00ace89d
0x00ace89f
0x00ace8c9
0x00000000
0x00ace8a1
0x00ace8a1
0x00ace8a4
0x00ace8bf
0x00ace8c1
0x00000000
0x00ace8c1
0x00000000
0x00ace8a6
0x00ace8a9
0x00ace8b4
0x00ace8b6
0x00ace8c3
0x00ace8c3
0x00ace8c3
0x00ace8c4
0x00ace8c4
0x00ace8ab
0x00ace8ab
0x00ace8cb
0x00ace8cb
0x00ace8cb
0x00ace8a9
0x00ace8a4
0x00ace900
0x00ace900
0x00ace900
0x00ace895
0x00ace88c
0x00ace887
0x00ace914

APIs

memset.MSVCRT ref: 00ACE83E
GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00ACE857
GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00ACE872

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: Version$memset
String ID:
API String ID: 3607446104-0
Opcode ID: 4874b99a3457323bfdbd05e7220fdd730e17a20ab26ddb516d10d0798e6fbbf4
Instruction ID: 94428ccc7c460ff7377a967ec5a6f552780b5a757db351ba1091a8d4163d1c6e
Opcode Fuzzy Hash: 4874b99a3457323bfdbd05e7220fdd730e17a20ab26ddb516d10d0798e6fbbf4
Instruction Fuzzy Hash: CC21B531E4122C97DB35CFA89C0AFD9B3B4BB09B10F42449EE606A6181D3749E81CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACE702 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00ACE702() {
				signed int _v8;
				long _v72;
				void* __esi;
				signed int _t5;
				signed int _t12;
				void* _t15;
				void* _t18;
				void* _t19;
				signed int _t21;

				_t5 =  *0xad1368; // 0x96213ca
				_v8 = _t5 ^ _t21;
				_t20 = 0xc04;
				if(GetLocaleInfoW(0x404, 8,  &_v72, 0x20) != 0) {
					_t12 = wcsncmp( &_v72, 0xac6cdc, 3);
					asm("sbb eax, eax");
					_t20 = 0xc04 + ( ~_t12 & 0xfffff800);
				}
				return E00ACAFD0(_t20, _t15, _v8 ^ _t21, _t18, _t19, _t20);
			}

0x00ace70a
0x00ace711
0x00ace71a
0x00ace72f
0x00ace73c
0x00ace746
0x00ace74d
0x00ace74d
0x00ace75e

APIs

GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020,00000000), ref: 00ACE727
wcsncmp.MSVCRT(?,00AC6CDC,00000003), ref: 00ACE73C

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: InfoLocalewcsncmp
String ID:
API String ID: 4128031126-0
Opcode ID: 167e325cde36979517768cba139ef5c6b2b6bc4d3919b4cf5b74cc12f5d5b8f3
Instruction ID: 75ab209b98485649c699014300122fe6063196e4bdf70eefdd51967e96be193a
Opcode Fuzzy Hash: 167e325cde36979517768cba139ef5c6b2b6bc4d3919b4cf5b74cc12f5d5b8f3
Instruction Fuzzy Hash: 0BF082B2A50208BBD710EBB48D47F9A77E89B04B14F450169A905E72C1EA60AE05C655

Uniqueness

Uniqueness Score: -1.00%

Function 00ACECCC Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 273
libraryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00ACECCC(void* __eflags) {
				signed int _v8;
				char _v180;
				char _v352;
				char _v524;
				short _v1044;
				WCHAR* _v1048;
				signed int _v1052;
				signed int _v1056;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				signed int _t74;
				WCHAR* _t83;
				signed char _t86;
				signed char _t87;
				signed int _t88;
				struct HINSTANCE__* _t90;
				signed short _t93;
				signed int _t96;
				signed int _t101;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				signed int _t121;
				struct HINSTANCE__* _t128;
				char* _t158;
				signed int _t159;
				signed int _t160;

				_t72 =  *0xad1368; // 0x96213ca
				_v8 = _t72 ^ _t160;
				_t158 = 0;
				_v1048 = 0;
				_t74 = E00ACE80D();
				 *0xad1934 = _t74;
				_t159 = 0;
				_t128 = LoadLibraryExW(L"powershell.exe", 0, _t74 & 0x00000020 | 0x00000002);
				if(_t128 == 0) {
					L46:
					_t77 = 0;
					__eflags = 0;
				} else {
					if(( *0xad1934 & 0x00000020) == 0) {
						if(SearchPathW(0, L"powershell.exe", 0, 0x104,  &_v1044,  &_v1048) == 0) {
							FreeLibrary(_t128);
							goto L46;
						} else {
							_t83 = _v1048;
							if(_t83 != 0) {
								__eflags = 0;
								_t158 =  &_v1044;
								 *((short*)(_t83 - 2)) = 0;
							} else {
								_v1048 =  &_v1044;
							}
							if(FindResourceExW(_t128, ?str?, 1, 0) == 0) {
								L31:
								__eflags = _t128 & 0x00000001;
								if((_t128 & 0x00000001) != 0) {
									FreeLibrary(_t128);
									_t86 = E00ACE80D();
									__eflags = _t86 & 0x00000038;
									if((_t86 & 0x00000038) == 0) {
										_t87 = E00ACE80D();
										__eflags = _t87 & 0x00000026;
										_t88 = 0;
										_t70 = (_t87 & 0x00000026) != 0;
										__eflags = _t70;
										_t90 = LoadLibraryExW(L"powershell.exe", 0, _t88 & 0xffffff00 | _t70);
									} else {
										_push(_v1048);
										E00ACEB56( &_v1044, 0x104, L"%s\\%s", _t158);
										_t155 = 1;
										_t90 = E00ACEAAE( &_v1044, 1, 0);
									}
									_t128 = _t90;
								}
								_t77 = _t128;
							} else {
								_t93 =  *0xad1934; // 0x0
								if((_t93 & 0x00000004) == 0) {
									__eflags = _t93 & 0x00000003;
									if((_t93 & 0x00000003) == 0) {
										goto L31;
									} else {
										_v1056 = E00ACE75F() & 0x0000ffff;
										_t155 =  &_v180;
										_t96 = E00ACE97F(E00ACE75F() & 0x0000ffff,  &_v180,  &_v524,  &_v352);
										__eflags = _t96;
										if(_t96 == 0) {
											goto L31;
										} else {
											_t155 = _t158;
											_t159 = E00ACE919(_t128, _t158,  &_v180, _v1048);
											__eflags = _t159;
											if(_t159 != 0) {
												goto L41;
											} else {
												_t155 = _t158;
												_t101 = E00ACE919(_t128, _t158,  &_v524, _v1048);
												_t159 = _t101;
												__eflags = _t159;
												if(_t159 != 0) {
													goto L41;
												} else {
													__eflags = _v352 - _t101;
													if(_v352 == _t101) {
														L40:
														_t138 = 0x409;
														__eflags = 0x409 - _v1056;
														goto L27;
													} else {
														_t155 = _t158;
														_t159 = E00ACE919(_t128, _t158,  &_v352, _v1048);
														__eflags = _t159;
														if(_t159 != 0) {
															goto L41;
														} else {
															goto L40;
														}
													}
												}
											}
										}
									}
								} else {
									__imp__GetUserDefaultUILanguage();
									_t109 = _t93 & 0x0000ffff;
									_v1052 = _t109;
									if(_t109 == 0x404) {
										_t109 = E00ACE702() & 0x0000ffff;
										L10:
										_v1052 = _t109;
									}
									_t155 =  &_v180;
									if(E00ACE97F(_t109,  &_v180,  &_v524,  &_v352) == 0) {
										L30:
										__eflags = _t159;
										if(_t159 != 0) {
											goto L41;
										} else {
											goto L31;
										}
									} else {
										_t155 = _t158;
										_t159 = E00ACE919(_t128, _t158,  &_v180, _v1048);
										if(_t159 != 0) {
											L41:
											FreeLibrary(_t128);
											_t77 = _t159;
										} else {
											_t155 = _t158;
											_t114 = E00ACE919(_t128, _t158,  &_v524, _v1048);
											_t159 = _t114;
											if(_t159 != 0) {
												goto L41;
											} else {
												if(_v352 == _t114) {
													L16:
													if(_v1052 != 0xc04) {
														__imp__GetSystemDefaultUILanguage();
														_t116 = 0xc04;
														_v1056 = 0xc04;
														__eflags = 0xc04 - _v1052;
														if(0xc04 == _v1052) {
															L25:
															_t138 = 0x409;
															__eflags = 0x409 - _v1052;
															if(0x409 == _v1052) {
																L29:
																_t155 = _t158;
																_t159 = E00ACE919(_t128, _t158, 0, _v1048);
																goto L30;
															} else {
																__eflags = 0x409 - _t116;
																L27:
																if(__eflags == 0) {
																	goto L29;
																} else {
																	E00ACE97F(_t138,  &_v180,  &_v524, 0);
																	_t155 = _t158;
																	_t159 = E00ACE919(_t128, _t158,  &_v180, _v1048);
																	__eflags = _t159;
																	if(_t159 != 0) {
																		goto L41;
																	} else {
																		goto L29;
																	}
																}
															}
														} else {
															_t155 =  &_v180;
															_t117 = E00ACE97F(0xc04,  &_v180,  &_v524,  &_v352);
															__eflags = _t117;
															if(_t117 == 0) {
																goto L31;
															} else {
																_t155 = _t158;
																_t159 = E00ACE919(_t128, _t158,  &_v180, _v1048);
																__eflags = _t159;
																if(_t159 != 0) {
																	goto L41;
																} else {
																	_t155 = _t158;
																	_t121 = E00ACE919(_t128, _t158,  &_v524, _v1048);
																	_t159 = _t121;
																	__eflags = _t159;
																	if(_t159 != 0) {
																		goto L41;
																	} else {
																		__eflags = _v352 - _t121;
																		if(_v352 == _t121) {
																			L24:
																			_t116 = _v1056;
																			goto L25;
																		} else {
																			_t155 = _t158;
																			_t159 = E00ACE919(_t128, _t158,  &_v352, _v1048);
																			__eflags = _t159;
																			if(_t159 != 0) {
																				goto L41;
																			} else {
																				goto L24;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t109 = 0x404;
														goto L10;
													}
												} else {
													_t155 = _t158;
													_t159 = E00ACE919(_t128, _t158,  &_v352, _v1048);
													if(_t159 != 0) {
														goto L41;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				__eflags = _v8 ^ _t160;
				return E00ACAFD0(_t77, _t128, _v8 ^ _t160, _t155, _t158, _t159);
			}

0x00acecd7
0x00acecde
0x00acece4
0x00acece6
0x00acecec
0x00acecf1
0x00acecf6
0x00aced0b
0x00aced0f
0x00acf096
0x00acf096
0x00acf096
0x00aced15
0x00aced1c
0x00aced44
0x00acf090
0x00000000
0x00aced4a
0x00aced4a
0x00aced52
0x00aced62
0x00aced64
0x00aced6a
0x00aced54
0x00aced5a
0x00aced5a
0x00aced80
0x00acef6e
0x00acef6e
0x00acef71
0x00acef78
0x00acef7e
0x00acef83
0x00acef85
0x00acf06e
0x00acf075
0x00acf077
0x00acf078
0x00acf078
0x00acf083
0x00acef8b
0x00acef8b
0x00acefa3
0x00acefb3
0x00acefb6
0x00acefb6
0x00acf089
0x00acf089
0x00acf08b
0x00aced86
0x00aced86
0x00aced8d
0x00acefc0
0x00acefc2
0x00000000
0x00acefc4
0x00acefd9
0x00acefe0
0x00acefe8
0x00acefed
0x00acefef
0x00000000
0x00aceff5
0x00acf001
0x00acf00b
0x00acf00d
0x00acf00f
0x00000000
0x00acf011
0x00acf01d
0x00acf022
0x00acf027
0x00acf029
0x00acf02b
0x00000000
0x00acf02d
0x00acf02d
0x00acf034
0x00acf052
0x00acf052
0x00acf057
0x00000000
0x00acf036
0x00acf042
0x00acf04c
0x00acf04e
0x00acf050
0x00000000
0x00000000
0x00000000
0x00000000
0x00acf050
0x00acf034
0x00acf02b
0x00acf00f
0x00acefef
0x00aced93
0x00aced93
0x00aced99
0x00aceda1
0x00acedaa
0x00acedb1
0x00acedb4
0x00acedb4
0x00acedb4
0x00acedc8
0x00acedd7
0x00acef66
0x00acef66
0x00acef68
0x00000000
0x00000000
0x00000000
0x00000000
0x00aceddd
0x00acede9
0x00acedf3
0x00acedf7
0x00acf063
0x00acf064
0x00acf06a
0x00acedfd
0x00acee09
0x00acee0e
0x00acee13
0x00acee17
0x00000000
0x00acee1d
0x00acee24
0x00acee46
0x00acee52
0x00acee5e
0x00acee64
0x00acee67
0x00acee6d
0x00acee74
0x00acef0c
0x00acef0c
0x00acef11
0x00acef18
0x00acef53
0x00acef59
0x00acef64
0x00000000
0x00acef1a
0x00acef1a
0x00acef1d
0x00acef1d
0x00000000
0x00acef1f
0x00acef2e
0x00acef3f
0x00acef49
0x00acef4b
0x00acef4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00acef4d
0x00acef1d
0x00acee7a
0x00acee88
0x00acee90
0x00acee95
0x00acee97
0x00000000
0x00acee9d
0x00aceea9
0x00aceeb3
0x00aceeb5
0x00aceeb7
0x00000000
0x00aceebd
0x00aceec9
0x00aceece
0x00aceed3
0x00aceed5
0x00aceed7
0x00000000
0x00aceedd
0x00aceedd
0x00aceee4
0x00acef06
0x00acef06
0x00000000
0x00aceee6
0x00aceef2
0x00aceefc
0x00aceefe
0x00acef00
0x00000000
0x00000000
0x00000000
0x00000000
0x00acef00
0x00aceee4
0x00aceed7
0x00aceeb7
0x00acee97
0x00acee54
0x00acee54
0x00000000
0x00acee54
0x00acee26
0x00acee32
0x00acee3c
0x00acee40
0x00000000
0x00000000
0x00000000
0x00000000
0x00acee40
0x00acee24
0x00acee17
0x00acedf7
0x00acedd7
0x00aced8d
0x00aced80
0x00aced44
0x00aced1c
0x00acf09d
0x00acf0a6

APIs

Part of subcall function 00ACE80D: memset.MSVCRT ref: 00ACE83E
Part of subcall function 00ACE80D: GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00ACE857
Part of subcall function 00ACE80D: GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00ACE872

LoadLibraryExW.KERNEL32(powershell.exe,00000000,00000000,?,00000000), ref: 00ACED05
SearchPathW.KERNEL32(00000000,powershell.exe,00000000,00000104,?,?,?,00000000), ref: 00ACED3C
FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,00000000), ref: 00ACED78
GetUserDefaultUILanguage.KERNEL32(?,00000000), ref: 00ACED93
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00ACEE5E
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00ACEF78
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00ACF064
LoadLibraryExW.KERNEL32(powershell.exe,00000000,00000000,?,00000000), ref: 00ACF083
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00ACF090

Strings

%s\%s, xrefs: 00ACEF98
powershell.exe, xrefs: 00ACED00, 00ACED36, 00ACF07E
MUI, xrefs: 00ACED72

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: Library$Free$DefaultLanguageLoadVersion$FindPathResourceSearchSystemUsermemset
String ID: %s\%s$MUI$powershell.exe
API String ID: 2934321554-1410073735
Opcode ID: afec2fddef3578862f0e5e74fcccd2c53f1e02d3d78b57f634876b89ed7ae94c
Instruction ID: 5a6d3849677946fdfeffeb6999dfd8386983ed01921545cbd155c48cb308bb6c
Opcode Fuzzy Hash: afec2fddef3578862f0e5e74fcccd2c53f1e02d3d78b57f634876b89ed7ae94c
Instruction Fuzzy Hash: 26A17A75E0026D9BCF31DB608D55FEE737AAB84704F0240FDE946A7242EA308E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ACE035 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 286
comCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00ACE035(void* __ebx, intOrPtr __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t86;
				signed int _t90;
				intOrPtr* _t91;
				intOrPtr* _t94;
				signed int _t96;
				signed int _t97;
				signed int _t106;
				signed int _t108;
				intOrPtr* _t109;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				intOrPtr* _t125;
				signed int _t129;
				signed int _t132;
				signed int _t133;
				intOrPtr* _t137;
				signed int _t143;
				signed int* _t145;
				intOrPtr* _t151;
				intOrPtr* _t165;
				signed int _t170;
				intOrPtr* _t173;
				intOrPtr* _t185;
				signed int* _t188;
				signed int _t196;
				signed int* _t200;
				void* _t201;
				intOrPtr* _t204;
				signed int _t206;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t215;
				void* _t218;
				signed int* _t219;

				_push(0x3c);
				E00ACB3EF(E00ACCAAE, __ebx, __edi, __esi);
				 *(_t218 - 0x34) = __edx;
				 *((intOrPtr*)(_t218 - 0x18)) = __ecx;
				if(__edx == 0) {
					L5:
					_t86 = 0;
					L6:
					return E00ACB3CC(_t86);
				}
				_t145 =  *(_t218 + 8);
				if(_t145 == 0) {
					goto L5;
				}
				_t188 =  *(_t218 + 0xc);
				if(_t188 == 0) {
					goto L5;
				}
				 *__edx =  *__edx & 0x00000000;
				 *_t188 =  *_t188 | 0xffffffff;
				 *_t145 =  *_t145 | 0xffffffff;
				if(__ecx != 0) {
					 *(_t218 - 0x20) =  *(_t218 - 0x20) & 0x00000000;
					 *((short*)(_t218 - 0x48)) = 0;
					 *((char*)(_t218 - 0xd)) = 0;
					_t143 = 1;
					E00ACD1E8(_t218 - 0x48, __ecx);
					 *((intOrPtr*)(_t218 - 4)) = 0;
					 *(_t218 - 0x1c) = 0;
					 *(_t218 - 0x2c) = 0;
					 *(_t218 - 0x24) = 0;
					 *(_t218 - 0x28) = 0;
					 *((char*)(_t218 - 4)) = 4;
					__imp__CoInitializeEx(0, 0);
					__eflags = 0;
					if(0 >= 0) {
						_t90 = _t218 - 0x1c;
						 *((char*)(_t218 - 0xd)) = 1;
						__imp__CoCreateInstance(0xac3e08, 0, 1, 0xac3df8, _t90);
						__eflags = _t90;
						if(_t90 >= 0) {
							_t91 =  *(_t218 - 0x1c);
							 *0xad2204(_t91, 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0xfc))))();
							_t94 =  *(_t218 - 0x1c);
							_t219 = _t219 - 0x10;
							 *((short*)(_t218 - 0x14)) = 1;
							_t200 = _t219;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t210 =  *((intOrPtr*)( *_t94 + 0xe8));
							_t151 = _t210;
							 *0xad2204(_t94, _t218 - 0x14);
							_t96 =  *_t210();
							__eflags = _t96;
							if(_t96 < 0) {
								L40:
								_t97 =  *(_t218 - 0x1c);
								_push(_t151);
								 *_t219 = _t97;
								__eflags = _t97;
								if(__eflags != 0) {
									_t210 =  *((intOrPtr*)( *_t97 + 4));
									 *0xad2204(_t97);
									 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 4))))();
								}
								E00ACDBC4(_t143,  *((intOrPtr*)(_t218 - 0x18)), _t200, _t210, __eflags);
								L43:
								_t143 = 0;
								__eflags = 0;
								L44:
								E00ACAA7D(_t218 - 0x28);
								E00ACAA7D(_t218 - 0x24);
								E00ACAA7D(_t218 - 0x2c);
								E00ACAA7D(_t218 - 0x1c);
								E00ACD7E6(_t218 - 0x48);
								__eflags =  *((char*)(_t218 - 0xd));
								if( *((char*)(_t218 - 0xd)) != 0) {
									__imp__CoUninitialize();
								}
								__imp__#6( *(_t218 - 0x20));
								_t86 = _t143;
								goto L6;
							}
							__eflags =  *((short*)(_t218 - 0x14));
							if( *((short*)(_t218 - 0x14)) == 0) {
								goto L40;
							}
							_t106 =  *(_t218 - 0x1c);
							 *0xad2204(_t106, _t218 - 0x2c);
							_t108 =  *((intOrPtr*)( *((intOrPtr*)( *_t106 + 0xb4))))();
							__eflags = _t108;
							if(_t108 < 0) {
								L39:
								_push( *((intOrPtr*)(_t218 - 0x18)));
								_t109 =  *0xad1704; // 0x3463d68
								_push(0x12);
								_push(0);
								_push(_t109);
								_t212 =  *_t109;
								L10:
								 *0xad2204();
								 *((intOrPtr*)(_t212 + 4))();
								goto L43;
							}
							_t112 =  *(_t218 - 0x2c);
							__eflags = _t112;
							if(_t112 == 0) {
								goto L39;
							}
							_t213 =  *((intOrPtr*)( *_t112 + 0x34));
							_t165 = _t213;
							 *0xad2204(_t112, _t218 - 0x24);
							_t114 =  *_t213();
							__eflags = _t114;
							if(_t114 < 0) {
								goto L39;
							}
							_t115 =  *(_t218 - 0x24);
							__eflags = _t115;
							if(_t115 == 0) {
								goto L39;
							}
							 *(_t218 - 0x30) =  *(_t218 - 0x30) & 0x00000000;
							_t201 = _t218 - 0x30;
							_push(_t165);
							 *_t219 = _t115;
							__eflags = _t115;
							if(__eflags != 0) {
								 *0xad2204(_t115);
								 *((intOrPtr*)( *((intOrPtr*)( *_t115 + 4))))();
							}
							_t214 =  *((intOrPtr*)(_t218 - 0x18));
							_t116 = E00ACDE50(_t143,  *((intOrPtr*)(_t218 - 0x18)), _t201, _t201,  *((intOrPtr*)(_t218 - 0x18)), __eflags);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L43;
							} else {
								__eflags = E00ACE53C( *(_t218 - 0x30), _t214);
								if(__eflags == 0) {
									goto L43;
								}
								_push(L"/PSConsoleFile/PSVersion/text()");
								E00ACAA37(_t143, _t218 - 0x30, _t201, _t214, __eflags);
								 *((char*)(_t218 - 4)) = 5;
								_t215 =  *(_t218 - 0x30);
								__eflags = _t215;
								if(_t215 == 0) {
									_t170 = 0;
									__eflags = 0;
								} else {
									_t170 =  *_t215;
								}
								_t119 =  *(_t218 - 0x24);
								 *0xad2204(_t119, _t170, _t218 - 0x28);
								_t121 =  *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0x94))))();
								__eflags = _t121;
								if(_t121 >= 0) {
									_t122 =  *(_t218 - 0x28);
									__eflags = _t122;
									if(_t122 != 0) {
										_t204 =  *((intOrPtr*)( *_t122 + 0x68));
										_t173 = _t204;
										 *0xad2204(_t122, _t218 - 0x20);
										_t124 =  *_t204();
										__eflags = _t124;
										if(_t124 < 0) {
											goto L27;
										}
										_t129 = E00ACF8AC(_t173,  *(_t218 - 0x20),  *(_t218 + 8),  *(_t218 + 0xc), _t143, _t143);
										__eflags = _t129;
										if(__eflags == 0) {
											goto L29;
										}
										__imp__#7( *(_t218 - 0x20));
										_t206 = _t129;
										_t196 = 2;
										_t60 = _t206 + 1; // 0x1
										_push( ~(0 | __eflags > 0x00000000) | _t60 * _t196);
										_t132 = E00ACACEC();
										 *(_t218 - 0x30) = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L29;
										}
										_t69 = _t206 + 1; // 0x1
										_t133 = E00ACE440(_t132, _t69,  *(_t218 - 0x20));
										__eflags = _t133;
										if(_t133 < 0) {
											goto L29;
										}
										 *( *(_t218 - 0x34)) =  *(_t218 - 0x30);
										goto L30;
									}
									_push( *((intOrPtr*)(_t218 - 0x18)));
									_push(0x21);
									goto L28;
								} else {
									L27:
									_push( *((intOrPtr*)(_t218 - 0x18)));
									_push(0x12);
									L28:
									_t125 =  *0xad1704; // 0x3463d68
									 *0xad2204(_t125, 0);
									 *((intOrPtr*)( *_t125 + 4))();
									L29:
									_t143 = 0;
									__eflags = 0;
									L30:
									__eflags = _t215;
									if(_t215 != 0) {
										E00ACE378(_t215);
									}
									goto L44;
								}
							}
						}
						_push(_t90);
						_push(0xc);
						L9:
						_t185 =  *0xad1704; // 0x3463d68
						_push(0);
						_push(_t185);
						_t212 =  *_t185;
						goto L10;
					}
					_push(0);
					_push(0xb);
					goto L9;
				}
				_t137 =  *0xad1704; // 0x3463d68
				 *0xad2204(_t137, 1, 2, L"NULL");
				 *((intOrPtr*)( *_t137 + 4))();
				goto L5;
			}

0x00ace035
0x00ace03c
0x00ace043
0x00ace048
0x00ace04d
0x00ace08a
0x00ace08a
0x00ace08c
0x00ace091
0x00ace091
0x00ace04f
0x00ace054
0x00000000
0x00000000
0x00ace056
0x00ace05b
0x00000000
0x00000000
0x00ace05d
0x00ace060
0x00ace063
0x00ace068
0x00ace094
0x00ace09a
0x00ace0a4
0x00ace0a8
0x00ace0a9
0x00ace0b0
0x00ace0b3
0x00ace0b6
0x00ace0b9
0x00ace0bc
0x00ace0c1
0x00ace0c5
0x00ace0cb
0x00ace0cd
0x00ace0f1
0x00ace0f4
0x00ace105
0x00ace10b
0x00ace10d
0x00ace114
0x00ace124
0x00ace12a
0x00ace12c
0x00ace133
0x00ace136
0x00ace13a
0x00ace142
0x00ace143
0x00ace144
0x00ace145
0x00ace146
0x00ace14c
0x00ace14e
0x00ace154
0x00ace156
0x00ace158
0x00ace30e
0x00ace30e
0x00ace311
0x00ace314
0x00ace316
0x00ace318
0x00ace31d
0x00ace322
0x00ace328
0x00ace328
0x00ace32d
0x00ace332
0x00ace332
0x00ace332
0x00ace334
0x00ace337
0x00ace33f
0x00ace347
0x00ace34f
0x00ace357
0x00ace35c
0x00ace360
0x00ace362
0x00ace362
0x00ace36b
0x00ace371
0x00000000
0x00ace371
0x00ace15e
0x00ace163
0x00000000
0x00000000
0x00ace169
0x00ace17b
0x00ace181
0x00ace183
0x00ace185
0x00ace2fa
0x00ace2fa
0x00ace2fd
0x00ace302
0x00ace304
0x00ace306
0x00ace307
0x00ace0dd
0x00ace0e0
0x00ace0e6
0x00000000
0x00ace0e9
0x00ace18b
0x00ace18e
0x00ace190
0x00000000
0x00000000
0x00ace19d
0x00ace1a0
0x00ace1a2
0x00ace1a8
0x00ace1aa
0x00ace1ac
0x00000000
0x00000000
0x00ace1b2
0x00ace1b5
0x00ace1b7
0x00000000
0x00000000
0x00ace1bd
0x00ace1c1
0x00ace1c4
0x00ace1c7
0x00ace1c9
0x00ace1cb
0x00ace1d5
0x00ace1db
0x00ace1db
0x00ace1dd
0x00ace1e4
0x00ace1e9
0x00ace1eb
0x00000000
0x00ace1f1
0x00ace1fb
0x00ace1fd
0x00000000
0x00000000
0x00ace203
0x00ace20b
0x00ace210
0x00ace214
0x00ace217
0x00ace219
0x00ace21f
0x00ace21f
0x00ace21b
0x00ace21b
0x00ace21b
0x00ace221
0x00ace234
0x00ace23a
0x00ace23c
0x00ace23e
0x00ace274
0x00ace277
0x00ace279
0x00ace289
0x00ace28c
0x00ace28e
0x00ace294
0x00ace296
0x00ace298
0x00000000
0x00000000
0x00ace2a5
0x00ace2aa
0x00ace2ac
0x00000000
0x00000000
0x00ace2b1
0x00ace2b7
0x00ace2bd
0x00ace2be
0x00ace2ca
0x00ace2cb
0x00ace2d0
0x00ace2d4
0x00ace2d6
0x00000000
0x00000000
0x00ace2db
0x00ace2e0
0x00ace2e5
0x00ace2e7
0x00000000
0x00000000
0x00ace2f3
0x00000000
0x00ace2f3
0x00ace27b
0x00ace27e
0x00000000
0x00ace240
0x00ace240
0x00ace240
0x00ace243
0x00ace245
0x00ace245
0x00ace252
0x00ace258
0x00ace25e
0x00ace25e
0x00ace25e
0x00ace260
0x00ace260
0x00ace262
0x00ace26a
0x00ace26a
0x00000000
0x00ace262
0x00ace23e
0x00ace1eb
0x00ace10f
0x00ace110
0x00ace0d2
0x00ace0d2
0x00ace0d8
0x00ace0da
0x00ace0db
0x00000000
0x00ace0db
0x00ace0cf
0x00ace0d0
0x00000000
0x00ace0d0
0x00ace06a
0x00ace07e
0x00ace084
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00ACE03C
CoInitializeEx.OLE32(00000000,00000000,?,0000003C,00ACD020,00000001,00000000), ref: 00ACE0C5
CoCreateInstance.OLE32(00AC3E08,00000000,00000001,00AC3DF8,00000000,?,0000003C,00ACD020,00000001,00000000), ref: 00ACE105
SysStringLen.OLEAUT32(00000000), ref: 00ACE2B1
CoUninitialize.OLE32(?,?,?,00000001,00000000), ref: 00ACE362
SysFreeString.OLEAUT32(00000000), ref: 00ACE36B

Strings

/PSConsoleFile/PSVersion/text(), xrefs: 00ACE203
NULL, xrefs: 00ACE06F

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: String$CreateFreeH_prolog3InitializeInstanceUninitialize
String ID: /PSConsoleFile/PSVersion/text()$NULL
API String ID: 676599697-3169875599
Opcode ID: 6a1c6436ddb6e508871d1be88162b97189fef6c535d0ed581570eb471c52788d
Instruction ID: 91b954e8ecb8cc6e384fc62c76db1d96f09d740e11ecc396ed9b10c1a3ed8f1e
Opcode Fuzzy Hash: 6a1c6436ddb6e508871d1be88162b97189fef6c535d0ed581570eb471c52788d
Instruction Fuzzy Hash: 2DA17E71A00215AFDF04DBA8CE45FEE77B9AF48700F15801DE506EB291DB71AD02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ACE75F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00ACE75F() {
				signed int _v8;
				char _v16;
				void* _v20;
				int _v24;
				void* __edi;
				void* __esi;
				signed int _t14;
				intOrPtr _t17;
				long _t23;
				char* _t25;
				void* _t27;
				void* _t30;
				void* _t31;
				signed int _t32;
				void* _t33;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t14 =  *0xad1368; // 0x96213ca
				_v8 = _t14 ^ _t35;
				_t37 = 0 -  *0xad1930; // 0x0
				if(_t37 == 0) {
					_push(_t31);
					_v24 = 6;
					_t32 = 0;
					if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11CF-8B85-00AA005B4383}", 0, 1,  &_v20) == 0) {
						_t23 = RegQueryValueExW(_v20, L"Locale", 0, 0,  &_v16,  &_v24);
						RegCloseKey(_v20);
						_t33 = _t33;
						if(_t23 == 0) {
							while(1) {
								_t25 =  &_v16;
								__imp___wcsnicmp(_t25,  *((intOrPtr*)(0xac1790 + _t32 * 8)), 3);
								_t36 = _t36 + 0xc;
								if(_t25 == 0) {
									break;
								}
								_t32 = _t32 + 1;
								if(_t32 < 0x1c) {
									continue;
								} else {
								}
								goto L7;
							}
							 *0xad1930 =  *((intOrPtr*)(0xac1794 + _t32 * 8));
						}
					}
					L7:
					_pop(_t31);
				}
				_t17 =  *0xad1930; // 0x0
				return E00ACAFD0(_t17, _t27, _v8 ^ _t35, _t30, _t31, _t33);
			}

0x00ace767
0x00ace76e
0x00ace773
0x00ace77a
0x00ace77c
0x00ace780
0x00ace78a
0x00ace79f
0x00ace7b4
0x00ace7bf
0x00ace7c7
0x00ace7c8
0x00ace7ca
0x00ace7d3
0x00ace7d7
0x00ace7dd
0x00ace7e2
0x00000000
0x00000000
0x00ace7e4
0x00ace7e8
0x00000000
0x00000000
0x00ace7ea
0x00000000
0x00ace7e8
0x00ace7f4
0x00ace7f4
0x00ace7c8
0x00ace7fa
0x00ace7fa
0x00ace7fa
0x00ace7fe
0x00ace80c

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,00ACEFC9,?), ref: 00ACE797
RegQueryValueExW.ADVAPI32(00ACEFC9,Locale,00000000,00000000,?,00000006,00000000), ref: 00ACE7B4
RegCloseKey.ADVAPI32(00ACEFC9), ref: 00ACE7BF
_wcsnicmp.MSVCRT ref: 00ACE7D7

Strings

Locale, xrefs: 00ACE7AC
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00ACE78D

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CloseOpenQueryValue_wcsnicmp
String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
API String ID: 2262609651-1161606707
Opcode ID: 6dfb48be2a1847e8f0692aedae34d42c313e3e7d8dc4c16ecd834d699030f439
Instruction ID: aca5e5ae55a7ff7421552707777d54ad9533eedec179ab344e30a0b6f458d888
Opcode Fuzzy Hash: 6dfb48be2a1847e8f0692aedae34d42c313e3e7d8dc4c16ecd834d699030f439
Instruction Fuzzy Hash: FA115E79A11215ABDB10DBE5DD58FAB77BDFB94B40F02042AE913A2260E6308946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ACEAAE Relevance: 9.1, APIs: 6, Instructions: 62
filelibraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ACEAAE(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				void* _t17;
				void* _t18;
				signed int _t19;

				if(__ecx == 0) {
					L7:
					return 0;
				}
				if(__edx == 0) {
					return LoadLibraryExW(__ecx, 0, 0 | _a4 != 0x00000000);
				}
				_t18 = CreateFileW(__ecx, 0x80000000, 5, 0, 3, 0, 0);
				if(_t18 == 0xffffffff) {
					goto L7;
				}
				_t17 = CreateFileMappingW(_t18, 0, 8, 0, 0, 0);
				CloseHandle(_t18);
				if(_t17 == 0) {
					goto L7;
				}
				_t19 = MapViewOfFile(_t17, 1, 0, 0, 0);
				CloseHandle(_t17);
				if(_t19 == 0) {
					goto L7;
				}
				return _t19 | 0x00000001;
			}

0x00aceab8
0x00aceb28
0x00000000
0x00aceb28
0x00aceabc
0x00000000
0x00aceb20
0x00acead3
0x00acead8
0x00000000
0x00000000
0x00aceae8
0x00aceaea
0x00aceaf2
0x00000000
0x00000000
0x00aceb01
0x00aceb03
0x00aceb0b
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,00ACEFBB,00000000), ref: 00ACEACD
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,00ACEFBB,00000000,?,?,?,00000000), ref: 00ACEAE1
CloseHandle.KERNEL32(00000000,?,00ACEFBB,00000000,?,?,?,00000000), ref: 00ACEAEA
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00ACEFBB,00000000,?,?,?,00000000), ref: 00ACEAFA
CloseHandle.KERNEL32(00000000,?,00ACEFBB,00000000,?,?,?,00000000), ref: 00ACEB03
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00ACEFBB,00000000,?,?,?,00000000), ref: 00ACEB20

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: File$CloseCreateHandle$LibraryLoadMappingView
String ID:
API String ID: 1262414356-0
Opcode ID: 4591e73013c8ef5f94fd3d4bf01e35ce217bfc15facac8599615c7c8d91cdebf
Instruction ID: 3ce6ecf00d22b1e15aa82ab0845fd1c2741b438fee3741b1dae6ff6cb3341b3c
Opcode Fuzzy Hash: 4591e73013c8ef5f94fd3d4bf01e35ce217bfc15facac8599615c7c8d91cdebf
Instruction Fuzzy Hash: 4401A7B26422187FF32497B55C8CF7B766CDF54BA5F16C12EF90392190D5659C02C270

Uniqueness

Uniqueness Score: -1.00%

Function 00ACF994 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00ACF994(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4, char _a8) {
				signed int _v8;
				char _v24;
				char _v32;
				signed int _t33;
				intOrPtr _t37;
				signed int _t48;
				char* _t52;
				signed char _t58;
				signed char _t61;
				void* _t68;

				_t73 = __esi;
				_t71 = __edi;
				_t57 = __ebx;
				_t33 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t33;
				_t61 =  *(__ecx + 0x10) & _t33;
				if(_t61 == 0) {
					return _t33;
				} else {
					if(_a8 != 0) {
						_push(0);
						_push(0);
					} else {
						_t84 = _t61 & 0x00000004;
						if((_t61 & 0x00000004) == 0) {
							__eflags = _t61 & 0x00000002;
							if(__eflags == 0) {
								_push(E00ACC83F( &_v32));
								_push("ios_base::eofbit set");
								_t61 =  &_v24;
								E00ACC118(__ebx, _t61, __edi, __esi, __eflags);
								_push(0xacfdec);
								_t52 =  &_v32;
							} else {
								_push(E00ACC83F( &_v32));
								_push("ios_base::failbit set");
								_t61 =  &_v24;
								E00ACC118(__ebx, _t61, __edi, __esi, __eflags);
								_push(0xacfdec);
								_t52 =  &_v32;
							}
						} else {
							_push(E00ACC83F( &_v32));
							_push("ios_base::badbit set");
							_t61 =  &_v24;
							E00ACC118(__ebx, _t61, __edi, __esi, _t84);
							_push(0xacfdec);
							_t52 =  &_v32;
						}
						_push(_t52);
					}
					L00ACB3C6();
					asm("int3");
					_push(8);
					E00ACB3EF(E00ACCC3F, _t57, _t71, _t73);
					_t58 = _t61;
					_t37 =  *((intOrPtr*)( *_t58 + 4));
					_t85 =  *((intOrPtr*)(_t37 + _t58 + 0x38));
					if( *((intOrPtr*)(_t37 + _t58 + 0x38)) != 0) {
						_push(_t58);
						E00ACF441(_t58,  &_v24, _t71, _t73, _t85);
						_v8 = _v8 & 0x00000000;
						if(E00ACC1F5( &_v24) != 0xffffffff) {
							_t72 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 4)) + _t58 + 0x38));
							_t74 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t58 + 4)) + _t58 + 0x38)))) + 0x34));
							 *0xad2204();
							if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t58 + 4)) + _t58 + 0x38)))) + 0x34))))() == 0xffffffff) {
								_t68 =  *((intOrPtr*)( *_t58 + 4)) + _t58;
								_t48 =  *(_t68 + 0xc);
								if( *((intOrPtr*)(_t68 + 0x38)) == 0) {
									_t48 = _t48 | 0x00000004;
								}
								_t41 = E00ACF994(_t58, _t68, _t72, _t74, _t48 | 0x00000004, 0);
							}
						}
						E00ACF4E5(_t41,  &_v24);
					}
					return E00ACB3CC(_t58);
				}
			}

0x00acf994
0x00acf994
0x00acf994
0x00acf9a2
0x00acf9a5
0x00acf9ab
0x00acf9ad
0x00acfa28
0x00acf9af
0x00acf9b3
0x00acfa2b
0x00acfa2d
0x00acf9b5
0x00acf9b5
0x00acf9b8
0x00acf9de
0x00acf9e5
0x00acfa0b
0x00acfa0c
0x00acfa11
0x00acfa15
0x00acfa1a
0x00acfa1f
0x00acf9e7
0x00acf9ec
0x00acf9ed
0x00acf9f2
0x00acf9f6
0x00acf9fb
0x00acfa00
0x00acfa00
0x00acf9ba
0x00acf9c3
0x00acf9c4
0x00acf9c9
0x00acf9cd
0x00acf9d2
0x00acf9d7
0x00acf9d7
0x00acf9db
0x00acf9db
0x00acfa2f
0x00acfa34
0x00acfa35
0x00acfa3c
0x00acfa41
0x00acfa45
0x00acfa48
0x00acfa4d
0x00acfa4f
0x00acfa53
0x00acfa58
0x00acfa67
0x00acfa6e
0x00acfa74
0x00acfa79
0x00acfa86
0x00acfa8d
0x00acfa93
0x00acfa96
0x00acfa98
0x00acfa98
0x00acfaa1
0x00acfaa1
0x00acfa86
0x00acfaa9
0x00acfaa9
0x00acfab5
0x00acfab5

APIs

_CxxThrowException.MSVCRT(00000000,00000000), ref: 00ACFA2F
__EH_prolog3.LIBCMT ref: 00ACFA3C

Part of subcall function 00ACC118: __EH_prolog3_GS.LIBCMT ref: 00ACC11F
Part of subcall function 00ACC118: ??0exception@@QAE@ABQBD@Z.MSVCRT(00ACFA1A), ref: 00ACC159

Strings

ios_base::eofbit set, xrefs: 00ACFA0C
ios_base::failbit set, xrefs: 00ACF9ED
ios_base::badbit set, xrefs: 00ACF9C4

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: ??0exception@@ExceptionH_prolog3H_prolog3_Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 881692067-1866435925
Opcode ID: f1bbfff61d75f8bf5385c7fefd031fc25418aefa52121fab15be331eaf4c3b18
Instruction ID: 3d44a0d572130778fdb3fe622907bdc7cae81073e63210107c95d3c26940eb42
Opcode Fuzzy Hash: f1bbfff61d75f8bf5385c7fefd031fc25418aefa52121fab15be331eaf4c3b18
Instruction Fuzzy Hash: B831B230600200AFD704EF54CA92FA973B5AF54324F57496CF46AAB2D2DB70ED09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ACDBC4 Relevance: 7.6, APIs: 5, Instructions: 134
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00ACDBC4(void* __ebx, WCHAR* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t46;
				void* _t50;
				intOrPtr* _t52;
				signed int _t56;
				signed int _t59;
				signed int _t62;
				intOrPtr* _t65;
				long _t68;
				long _t73;
				WCHAR* _t96;
				intOrPtr* _t97;
				void* _t106;
				void* _t107;

				_push(0x14);
				E00ACB3EF(E00ACCA18, __ebx, __edi, __esi);
				_t96 = __ecx;
				 *(_t106 - 0x20) = __ecx;
				 *((intOrPtr*)(_t106 - 4)) = 0;
				_t73 = 1;
				 *((intOrPtr*)(_t106 - 0x14)) = 0;
				if( *((intOrPtr*)(_t106 + 8)) != 0 && E00ACA390(__ecx) == 0) {
					_t50 = CreateFileW(_t96, 1, 1, 0, 3, 0, 0);
					if(_t50 != 0xffffffff) {
						CloseHandle(_t50);
						 *(_t106 - 0x10) =  *(_t106 - 0x10) & 0x00000000;
						 *((char*)(_t106 - 4)) = 1;
						_t52 =  *((intOrPtr*)(_t106 + 8));
						 *0xad2204(_t52, _t106 - 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t52 + 0xf0))))() < 0) {
							L13:
							_t73 = 0;
							 *((char*)(_t106 - 4)) = 0;
						} else {
							_t56 =  *(_t106 - 0x10);
							if(_t56 == 0) {
								goto L13;
							} else {
								 *0xad2204(_t56, _t106 - 0x14);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t56 + 0x24))))() < 0 ||  *((intOrPtr*)(_t106 - 0x14)) == 0) {
									goto L13;
								} else {
									_t59 =  *(_t106 - 0x10);
									 *(_t106 - 0x1c) =  *(_t106 - 0x1c) | 0xffffffff;
									 *0xad2204(_t59, _t106 - 0x1c);
									if( *((intOrPtr*)( *((intOrPtr*)( *_t59 + 0x2c))))() < 0 ||  *(_t106 - 0x1c) == 0xffffffff) {
										goto L13;
									} else {
										_t62 =  *(_t106 - 0x10);
										 *(_t106 - 0x18) =  *(_t106 - 0x18) | 0xffffffff;
										 *0xad2204(_t62, _t106 - 0x18);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t62 + 0x30))))() < 0 ||  *(_t106 - 0x18) == 0xffffffff) {
											goto L13;
										} else {
											_t65 =  *0xad1704; // 0x3463d68
											 *0xad2204(_t65, 0, 0x20, _t96,  *((intOrPtr*)(_t106 - 0x14)),  *(_t106 - 0x1c),  *(_t106 - 0x18));
											 *((intOrPtr*)( *_t65 + 4))();
											_t107 = _t107 + 0x1c;
											 *((char*)(_t106 - 4)) = 0;
										}
									}
								}
							}
						}
						E00ACAA7D(_t106 - 0x10);
					} else {
						_t68 = GetLastError();
						_t97 =  *0xad1704; // 0x3463d68
						 *0xad2204(_t68, 0x1f,  *(_t106 - 0x20));
						 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
						_t96 =  *(_t106 - 0x20);
					}
				}
				__imp__#6( *((intOrPtr*)(_t106 - 0x14)));
				if(_t73 == 0) {
					_t46 =  *0xad1704; // 0x3463d68
					 *0xad2204(_t46, 0, 0xd, _t96);
					 *((intOrPtr*)( *_t46 + 4))();
				}
				return E00ACB3CC(E00ACAA7D(_t106 + 8));
			}

0x00acdbc4
0x00acdbcb
0x00acdbd0
0x00acdbd2
0x00acdbd9
0x00acdbdc
0x00acdbdd
0x00acdbe3
0x00acdbff
0x00acdc08
0x00acdc36
0x00acdc3c
0x00acdc40
0x00acdc46
0x00acdc55
0x00acdc5f
0x00acdd03
0x00acdd03
0x00acdd05
0x00acdc65
0x00acdc65
0x00acdc6a
0x00000000
0x00acdc70
0x00acdc7c
0x00acdc86
0x00000000
0x00acdc8e
0x00acdc8e
0x00acdc94
0x00acdca1
0x00acdcab
0x00000000
0x00acdcb3
0x00acdcb3
0x00acdcb9
0x00acdcc6
0x00acdcd0
0x00000000
0x00acdcd8
0x00acdcdb
0x00acdcf1
0x00acdcf7
0x00acdcfa
0x00acdcfd
0x00acdcfd
0x00acdcd0
0x00acdcab
0x00acdc86
0x00acdc6a
0x00acdd0b
0x00acdc0a
0x00acdc0a
0x00acdc10
0x00acdc23
0x00acdc2b
0x00acdc2d
0x00acdc2d
0x00acdc08
0x00acdd13
0x00acdd1b
0x00acdd1d
0x00acdd2d
0x00acdd33
0x00acdd36
0x00acdd46

APIs

__EH_prolog3.LIBCMT ref: 00ACDBCB
CreateFileW.KERNEL32(?,00000001,00000001,?,00000003,?,?,?,00000014,00ACE332,?,?,?,00000001,00000000), ref: 00ACDBFF
GetLastError.KERNEL32(?,00000001,00000001,?,00000003,?,?,?,00000014,00ACE332,?,?,?,00000001,00000000), ref: 00ACDC0A
CloseHandle.KERNEL32(00000000,?,00000001,00000001,?,00000003,?,?,?,00000014,00ACE332,?,?,?,00000001,00000000), ref: 00ACDC36
SysFreeString.OLEAUT32(FFFFFFFF), ref: 00ACDD13

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CloseCreateErrorFileFreeH_prolog3HandleLastString
String ID:
API String ID: 792754308-0
Opcode ID: 316134e81c4b2e819203652d80f43c771accd923125db470ff51442b0fb4698d
Instruction ID: 0cfabdcb84e9c0e46ae81ed8f16b89cdca59287ea086ab5bf29a1341a1ddc51e
Opcode Fuzzy Hash: 316134e81c4b2e819203652d80f43c771accd923125db470ff51442b0fb4698d
Instruction Fuzzy Hash: 96513830A0121ADFDB05DFA4CD45FBE7B75EF84710F158129E562AB2A0D7306D02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA830 Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00ACA830(void* __edx) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v292;
				signed int _t13;
				intOrPtr _t20;
				void* _t22;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t29;

				_t26 = __edx;
				_t13 =  *0xad1368; // 0x96213ca
				_v8 = _t13 ^ _t29;
				_v292.dwOSVersionInfoSize = 0x11c;
				_v292.dwBuildNumber = 0;
				_v292.dwPlatformId = 0;
				memset( &(_v292.szCSDVersion), 0, 0x100);
				_v292.wServicePackMinor = 0;
				_v292.wSuiteMask = 0;
				__imp__VerSetConditionMask(0, 0, 2, 3, 1, 3, 0x20, 3);
				__imp__VerSetConditionMask(0, _t26);
				__imp__VerSetConditionMask(0, _t26);
				_push(_t26);
				_v292.dwMajorVersion = 6;
				_v292.dwMinorVersion = 1;
				_v292.wServicePackMajor = 0;
				if(VerifyVersionInfoW( &_v292, 0x23, 0) == 0) {
					_t20 = 0;
				} else {
					_t20 = 1;
				}
				return E00ACAFD0(_t20, _t22, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x00aca830
0x00aca83b
0x00aca842
0x00aca850
0x00aca85d
0x00aca867
0x00aca871
0x00aca87b
0x00aca87f
0x00aca890
0x00aca898
0x00aca8a0
0x00aca8a6
0x00aca8b0
0x00aca8bc
0x00aca8c7
0x00aca8d3
0x00aca8e7
0x00aca8d5
0x00aca8d5
0x00aca8d5
0x00aca8e4

APIs

memset.MSVCRT ref: 00ACA871
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 00ACA890
VerSetConditionMask.KERNEL32(00000000), ref: 00ACA898
VerSetConditionMask.KERNEL32(00000000), ref: 00ACA8A0
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00ACA8CB

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: cbe10aee24e228d62b5e3b1e17f7d6668aecc50b1a1c7aa81eadb934dcb7c8b5
Instruction ID: 9dc8b3aa63eb4e4b502753f6fd978273890bf70aa3296efc7c144f78e95d033c
Opcode Fuzzy Hash: cbe10aee24e228d62b5e3b1e17f7d6668aecc50b1a1c7aa81eadb934dcb7c8b5
Instruction Fuzzy Hash: 4D11ECB0A40308ABEB64DFA0DC0AFEA77B8EF58704F404099B605AA181D6B55B45DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00ACF660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00ACF660(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr* _a8) {
				wchar_t* _v0;
				signed int _v8;
				wchar_t* _v12;
				char _v526;
				short _v528;
				intOrPtr* _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				long* _t33;
				void* _t37;
				void* _t40;
				void* _t57;
				WCHAR* _t59;
				void* _t60;
				WCHAR* _t65;
				long _t66;
				void* _t69;
				wchar_t* _t70;
				void* _t71;
				void* _t72;
				signed int _t74;
				void* _t75;
				intOrPtr* _t76;
				signed int _t77;

				_t69 = __edx;
				_t31 =  *0xad1368; // 0x96213ca
				_v8 = _t31 ^ _t77;
				_t59 = _a4;
				_t71 = __ecx;
				_t33 =  *(__ecx + 8);
				_t73 =  *_t33;
				 *0xad2204(_t33, 0,  &_v528, 0x104);
				 *0xad2204( *(__ecx + 8),  *((intOrPtr*)(_t73 + 0xc))());
				_t37 =  *((intOrPtr*)(_t73 + 8))();
				if(_t37 != 0) {
					_t11 = _t37 - 1; // -1
					_t74 = _t11;
					if(_t74 >= 0) {
						while( *((short*)(_t77 + _t74 * 2 - 0x20c)) != 0x5c) {
							_t74 = _t74 - 1;
							if(_t74 >= 0) {
								continue;
							}
							goto L6;
						}
					}
					L6:
					_t65 = _t59;
					_t40 = E00ACF7B4(_t59, _t65, _t69,  &_v526 + _t74 * 2);
					_t75 = 2 + _t74 * 2;
					if(_t75 >= 0x208) {
						E00ACB2B4(_t40, _t59, _t65, _t69, _t71, _t75);
						asm("int3");
						_push(_t77);
						_push(_t65);
						_push(_t59);
						_push(_t75);
						_t76 = _v556;
						_t60 = 1;
						_push(_t71);
						_t72 = 0x30;
						if( *_t76 - _t72 <= 9) {
							L18:
							_t60 = 0;
						} else {
							_t70 = _v0;
							if(E00ACA390(_t70) != 0 || _t70 >= _t76) {
								goto L18;
							} else {
								while( *_t70 == _t72) {
									_t70 =  &(_t70[0]);
									if(_t70 < _t76) {
										continue;
									}
									break;
								}
								if((_t76 - _t70 & 0xfffffffe) > 0x14) {
									goto L18;
								} else {
									_v12 = _v12 & 0x00000000;
									_t66 = wcstoul(_t70,  &_v12, 0xa);
									if(_t76 != _v12 || _t66 > 0x7fffffff) {
										goto L18;
									} else {
										 *_a8 = _t66;
									}
								}
							}
						}
						return _t60;
					} else {
						 *((short*)(_t77 + _t75 - 0x20c)) = 0;
						_t73 = 0x104;
						ExpandEnvironmentStringsW( &_v528, _t59, 0x104);
						ExpandEnvironmentStringsW(L"%windir%\\System32\\WindowsPowerShell\\v1.0\\",  &(_t59[0x104]), 0x104);
						_t57 = 0;
						goto L2;
					}
				} else {
					_t57 = 0xffff0000;
					L2:
					return E00ACAFD0(_t57, _t59, _v8 ^ _t77, _t69, _t71, _t73);
				}
			}

0x00acf660
0x00acf66b
0x00acf672
0x00acf676
0x00acf67b
0x00acf68b
0x00acf68f
0x00acf694
0x00acf6a4
0x00acf6aa
0x00acf6af
0x00acf6c7
0x00acf6c7
0x00acf6cc
0x00acf6ce
0x00acf6d9
0x00acf6dc
0x00000000
0x00000000
0x00000000
0x00acf6dc
0x00acf6ce
0x00acf6de
0x00acf6e4
0x00acf6ea
0x00acf6ef
0x00acf6fc
0x00acf733
0x00acf738
0x00acf73b
0x00acf73e
0x00acf73f
0x00acf740
0x00acf741
0x00acf744
0x00acf746
0x00acf749
0x00acf754
0x00acf7a9
0x00acf7a9
0x00acf756
0x00acf756
0x00acf761
0x00000000
0x00acf767
0x00acf767
0x00acf76c
0x00acf771
0x00000000
0x00000000
0x00000000
0x00acf771
0x00acf77d
0x00000000
0x00acf77f
0x00acf77f
0x00acf793
0x00acf798
0x00000000
0x00acf7a2
0x00acf7a5
0x00acf7a5
0x00acf798
0x00acf77d
0x00acf761
0x00acf7b1
0x00acf6fe
0x00acf700
0x00acf708
0x00acf716
0x00acf729
0x00acf72f
0x00000000
0x00acf72f
0x00acf6b1
0x00acf6b1
0x00acf6b6
0x00acf6c4
0x00acf6c4

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?), ref: 00ACF716
ExpandEnvironmentStringsW.KERNEL32(%windir%\System32\WindowsPowerShell\v1.0\,?,00000104), ref: 00ACF729

Strings

%windir%\System32\WindowsPowerShell\v1.0\, xrefs: 00ACF724
\, xrefs: 00ACF6CE

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: %windir%\System32\WindowsPowerShell\v1.0\$\
API String ID: 237503144-1085012011
Opcode ID: 0badeac75a7015f422199538f5b4d547b55c70c4e4c8119ca5d8a8751c3919d6
Instruction ID: 101e6d055019e0cd4b88292c1270feb823030d979fb4c2fe64dfbfdf93e22d03
Opcode Fuzzy Hash: 0badeac75a7015f422199538f5b4d547b55c70c4e4c8119ca5d8a8751c3919d6
Instruction Fuzzy Hash: 89218E72601214AFCB10DFA5CC48FDAB7A9EF58310F42457AE927D7561DB30AD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ACDAB0 Relevance: 6.1, APIs: 4, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00ACDAB0(long _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v8;
				void* __ecx;
				void* _t19;
				intOrPtr* _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t43;
				void* _t46;
				void* _t51;

				_push(_t28);
				_t26 = _t28;
				_v8 = 0;
				_t19 = FormatMessageW(0x1100, 0, _a4, 0,  &_v8, 0, 0);
				_t46 = _t19;
				_t51 = _t46;
				if(_t51 == 0) {
					L8:
					return _t19;
				}
				_t4 = _t46 + 1; // 0x1
				_t39 = 2;
				_push( ~(0 | _t51 > 0x00000000) | _t4 * _t39);
				_t43 = E00ACACEC();
				if(_t43 != 0) {
					_t12 = _t46 + 1; // 0x1
					if(E00ACE440(_t43, _t12, _v8) < 0) {
						_t46 = 0;
						__imp__??_V@YAXPAX@Z(_t43);
						_t43 = 0;
					}
				}
				_t19 = LocalFree(_v8);
				if(_t46 != 0) {
					 *0xad2204(_t26, 0, _a8, _a12, _t43);
					_t19 =  *((intOrPtr*)( *_t26 + 4))();
					if(_t43 != 0) {
						__imp__??_V@YAXPAX@Z(_t43);
					}
				}
				goto L8;
			}

0x00acdab5
0x00acdab8
0x00acdac6
0x00acdacf
0x00acdad5
0x00acdad7
0x00acdad9
0x00acdb4c
0x00acdb4f
0x00acdb4f
0x00acdade
0x00acdae3
0x00acdaed
0x00acdaf3
0x00acdaf8
0x00acdafd
0x00acdb09
0x00acdb0c
0x00acdb0e
0x00acdb15
0x00acdb15
0x00acdb09
0x00acdb1a
0x00acdb22
0x00acdb33
0x00acdb39
0x00acdb41
0x00acdb44
0x00acdb4a
0x00acdb41
0x00000000

APIs

FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000), ref: 00ACDACF
??_V@YAXPAX@Z.MSVCRT ref: 00ACDB0E
LocalFree.KERNEL32(?), ref: 00ACDB1A
??_V@YAXPAX@Z.MSVCRT ref: 00ACDB44

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID:
API String ID: 1427518018-0
Opcode ID: 279494cc7646d56ae72265502753ed26a9cf164067af7cc1ad86714b7d03f631
Instruction ID: 0025fbd1e2272159c8525b6d9c82139d0a9d9dc12334f218fdda82e5d676a21b
Opcode Fuzzy Hash: 279494cc7646d56ae72265502753ed26a9cf164067af7cc1ad86714b7d03f631
Instruction Fuzzy Hash: 35110133601201BFDB199BA4CD0AFBFBB7AEB84B10B06812EF91396150EB71AD01C750

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAD00 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ACAD00() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0xad139c = E00ACAF4D();
				__set_app_type(E00ACB578(1));
				 *0xad16e8 =  *0xad16e8 | 0xffffffff;
				 *0xad16ec =  *0xad16ec | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0xad16d8; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0xad16cc; // 0x0
				 *_t5 = _t12;
				_t6 = E00ACB5C0();
				if( *0xad1364 == 0) {
					__setusermatherr(E00ACB5C0);
				}
				E00ACB7AD(_t6);
				return 0;
			}

0x00acad07
0x00acad12
0x00acad18
0x00acad1f
0x00acad28
0x00acad2e
0x00acad34
0x00acad36
0x00acad3c
0x00acad42
0x00acad44
0x00acad50
0x00acad57
0x00acad5d
0x00acad5e
0x00acad65

APIs

Part of subcall function 00ACB578: GetModuleHandleW.KERNEL32(00000000), ref: 00ACB57F

__set_app_type.MSVCRT ref: 00ACAD12
__p__fmode.MSVCRT ref: 00ACAD28
__p__commode.MSVCRT ref: 00ACAD36
__setusermatherr.MSVCRT ref: 00ACAD57

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 8f64552c4e62e4bc617ad05f59a8022da016609af291a5c61868bda8261201a0
Instruction ID: d80e9808d14fd9906bb0fcf2cdd7ce5f1210be93d732b23bb0d1226d21b851ee
Opcode Fuzzy Hash: 8f64552c4e62e4bc617ad05f59a8022da016609af291a5c61868bda8261201a0
Instruction Fuzzy Hash: 02F0D4B8512305EBC718EBB0AA0AB143BA5AB54322B15874EF523862F1DB368042CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00ACDE50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00ACDE50(void* __ebx, intOrPtr __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t51;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t66;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t96;
				intOrPtr* _t103;
				intOrPtr* _t122;
				intOrPtr* _t125;
				void* _t126;

				_push(0x24);
				E00ACB3EF(E00ACCA63, __ebx, __edi, __esi);
				 *(_t126 - 0x30) = __edx;
				_t84 = __ecx;
				 *((intOrPtr*)(_t126 - 0x24)) = __ecx;
				 *((char*)(_t126 - 0xd)) = 1;
				 *((intOrPtr*)(_t126 - 4)) = 0;
				 *((intOrPtr*)(_t126 - 0x1c)) = 0;
				 *((intOrPtr*)(_t126 - 0x14)) = 0;
				 *((intOrPtr*)(_t126 - 0x18)) = 0;
				 *((char*)(_t126 - 4)) = 3;
				if(E00ACA390(__ecx) != 0 ||  *((intOrPtr*)(_t126 + 8)) == 0) {
					L31:
					_t85 = 0;
					goto L21;
				} else {
					_t133 = __edx;
					if(__edx == 0) {
						goto L31;
					}
					_push(L"/PSConsoleFile");
					E00ACAA37(_t84, _t126 - 0x28, __edi, __esi, _t133);
					 *((char*)(_t126 - 4)) = 4;
					_t125 =  *((intOrPtr*)(_t126 - 0x28));
					if(_t125 == 0) {
						_t96 = 0;
						__eflags = 0;
					} else {
						_t96 =  *_t125;
					}
					_t59 =  *((intOrPtr*)(_t126 + 8));
					 *0xad2204(_t59, _t96, _t126 - 0x1c);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t59 + 0x94))))() < 0) {
						L27:
						_push(_t84);
						_push(0x22);
						goto L28;
					} else {
						_t66 =  *((intOrPtr*)(_t126 - 0x1c));
						if(_t66 == 0) {
							goto L27;
						}
						_t121 =  *((intOrPtr*)( *_t66 + 0x44));
						 *0xad2204(_t66, _t126 - 0x14);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x44))))() < 0) {
							L26:
							_push(_t84);
							_push(0xf);
							L28:
							_t62 =  *0xad1704; // 0x3463d68
							 *0xad2204(_t62, 0);
							 *((intOrPtr*)( *_t62 + 4))();
							_t85 = 0;
							__eflags = 0;
							L29:
							__eflags = _t125;
							if(_t125 != 0) {
								E00ACE378(_t125);
							}
							L21:
							E00ACAA7D(_t126 - 0x18);
							 *((char*)(_t126 - 4)) = 6;
							_t51 =  *((intOrPtr*)(_t126 - 0x14));
							if(_t51 != 0) {
								 *0xad2204(_t51);
								 *((intOrPtr*)( *((intOrPtr*)( *_t51 + 8))))();
							}
							E00ACAA7D(_t126 - 0x1c);
							E00ACAA7D(_t126 + 8);
							return E00ACB3CC(_t85);
						}
						_t138 =  *((intOrPtr*)(_t126 - 0x14));
						if( *((intOrPtr*)(_t126 - 0x14)) == 0) {
							goto L26;
						}
						_push(L"ConsoleSchemaVersion");
						E00ACAA37(_t84, _t126 - 0x2c, _t121, _t125, _t138);
						 *((char*)(_t126 - 4)) = 5;
						_t122 =  *((intOrPtr*)(_t126 - 0x2c));
						if(_t122 == 0) {
							_t103 = 0;
							__eflags = 0;
						} else {
							_t103 =  *_t122;
						}
						_t70 =  *((intOrPtr*)(_t126 - 0x14));
						 *0xad2204(_t70, _t103, _t126 - 0x18);
						if( *((intOrPtr*)( *_t70 + 0x1c))() < 0) {
							L24:
							_t73 =  *0xad1704; // 0x3463d68
							 *0xad2204(_t73, 0, 0xf,  *((intOrPtr*)(_t126 - 0x24)));
							 *((intOrPtr*)( *_t73 + 4))();
							_t85 = 0;
							__eflags = _t122;
							if(_t122 != 0) {
								E00ACE378(_t122);
							}
							goto L29;
						} else {
							_t77 =  *((intOrPtr*)(_t126 - 0x18));
							if(_t77 == 0) {
								goto L24;
							}
							 *(_t126 - 0x20) =  *(_t126 - 0x20) & 0x00000000;
							 *0xad2204(_t77, _t126 - 0x20);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t77 + 0x68))))() < 0) {
								goto L24;
							}
							 *( *(_t126 - 0x30)) =  *(_t126 - 0x20);
							if(_t122 != 0) {
								E00ACE378(_t122);
							}
							if(_t125 != 0) {
								E00ACE378(_t125);
							}
							_t85 =  *((intOrPtr*)(_t126 - 0xd));
							goto L21;
						}
					}
				}
			}

0x00acde50
0x00acde57
0x00acde5c
0x00acde5f
0x00acde61
0x00acde66
0x00acde6a
0x00acde6d
0x00acde70
0x00acde73
0x00acde77
0x00acde82
0x00ace02e
0x00ace02e
0x00000000
0x00acde92
0x00acde92
0x00acde94
0x00000000
0x00000000
0x00acde9a
0x00acdea2
0x00acdea7
0x00acdeab
0x00acdeb0
0x00acdeb6
0x00acdeb6
0x00acdeb2
0x00acdeb2
0x00acdeb2
0x00acdeb8
0x00acdecb
0x00acded5
0x00acdffc
0x00acdffc
0x00acdffd
0x00000000
0x00acdedb
0x00acdedb
0x00acdee0
0x00000000
0x00000000
0x00acdeed
0x00acdef2
0x00acdefc
0x00acdff7
0x00acdff7
0x00acdff8
0x00acdfff
0x00acdfff
0x00ace00c
0x00ace012
0x00ace018
0x00ace018
0x00ace01a
0x00ace01a
0x00ace01c
0x00ace024
0x00ace024
0x00acdf8d
0x00acdf90
0x00acdf95
0x00acdf99
0x00acdf9e
0x00acdfa8
0x00acdfae
0x00acdfae
0x00acdfb3
0x00acdfbb
0x00acdfc7
0x00acdfc7
0x00acdf02
0x00acdf06
0x00000000
0x00000000
0x00acdf0c
0x00acdf14
0x00acdf19
0x00acdf1d
0x00acdf22
0x00acdf28
0x00acdf28
0x00acdf24
0x00acdf24
0x00acdf24
0x00acdf2a
0x00acdf38
0x00acdf43
0x00acdfca
0x00acdfca
0x00acdfdc
0x00acdfe2
0x00acdfe8
0x00acdfea
0x00acdfec
0x00acdff0
0x00acdff0
0x00000000
0x00acdf49
0x00acdf49
0x00acdf4e
0x00000000
0x00000000
0x00acdf50
0x00acdf60
0x00acdf6a
0x00000000
0x00000000
0x00acdf72
0x00acdf76
0x00acdf7a
0x00acdf7a
0x00acdf81
0x00acdf85
0x00acdf85
0x00acdf8a
0x00000000
0x00acdf8a
0x00acdf43
0x00acded5

APIs

__EH_prolog3.LIBCMT ref: 00ACDE57

Part of subcall function 00ACAA37: __EH_prolog3.LIBCMT ref: 00ACAA3E

Strings

ConsoleSchemaVersion, xrefs: 00ACDF0C
/PSConsoleFile, xrefs: 00ACDE9A

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: H_prolog3
String ID: /PSConsoleFile$ConsoleSchemaVersion
API String ID: 431132790-2413366295
Opcode ID: 9c5b3a49b0cb3ceebb116c46f5d8600769f3c8f8dd214d142dcb10b9c1696c4f
Instruction ID: 20ec2fd88c7a7740874db58db172f7ae7d71301a16c78c2d0d71a36df97e75fe
Opcode Fuzzy Hash: 9c5b3a49b0cb3ceebb116c46f5d8600769f3c8f8dd214d142dcb10b9c1696c4f
Instruction Fuzzy Hash: A7518130A00206DFDB14DFA8CA95FBEB7B5BF94704F16402CE506AB251DB70AD02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC2B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00ACC2B0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t30;
				intOrPtr* _t67;
				void* _t72;
				void* _t73;

				_t73 = __eflags;
				E00ACB422(E00ACCBAF, __ebx, __edi, __esi);
				_t67 = __ecx;
				_t46 =  *((intOrPtr*)(_t72 + 8));
				_t44 =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(_t72 - 0x2c)) =  *((intOrPtr*)(_t72 + 8));
				 *((intOrPtr*)(_t72 - 0x30)) =  *((intOrPtr*)(_t72 + 0x10));
				E00ACC0D0(_t72 - 0x28, _t46);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				E00ACC641(_t44, _t72 - 0x28, _t67, _t73, _t44);
				_t69 = L".ni.dll";
				E00ACC641(_t44, _t72 - 0x28, _t67, _t73, _t69);
				_t70 =  *((intOrPtr*)( *_t67));
				 *0xad2204(_t72 - 0x28, E00ACFABE(L".ni.dll"), E00ACFABE( *((intOrPtr*)(_t72 + 0xc))), 0x24);
				_t30 =  *((intOrPtr*)( *((intOrPtr*)( *_t67))))();
				_t74 = _t30;
				if(_t30 != 0) {
					L2:
					E00ACC1D5( *((intOrPtr*)(_t72 - 0x30)), _t72 - 0x28);
				} else {
					E00ACC742(_t72 - 0x28,  *((intOrPtr*)(_t72 - 0x2c)));
					E00ACC641(_t44, _t72 - 0x28, _t67, _t74, _t44);
					_t71 = L".dll";
					E00ACC641(_t44, _t72 - 0x28, _t67, _t74, _t71);
					_t70 =  *((intOrPtr*)( *_t67));
					 *0xad2204(_t72 - 0x28, E00ACFABE(L".dll"), E00ACFABE(_t44));
					if( *((intOrPtr*)( *((intOrPtr*)( *_t67))))() != 0) {
						goto L2;
					}
				}
				E00ACC578(_t44, _t72 - 0x28, 1, 0);
				return E00ACB3E0(_t44, _t67, _t70);
			}

0x00acc2b0
0x00acc2b7
0x00acc2bc
0x00acc2be
0x00acc2c4
0x00acc2c7
0x00acc2ce
0x00acc2d1
0x00acc2d6
0x00acc2e6
0x00acc2eb
0x00acc2fc
0x00acc307
0x00acc30b
0x00acc313
0x00acc315
0x00acc317
0x00acc363
0x00acc36a
0x00acc319
0x00acc31f
0x00acc330
0x00acc335
0x00acc346
0x00acc351
0x00acc355
0x00acc361
0x00000000
0x00000000
0x00acc361
0x00acc376
0x00acc380

APIs

__EH_prolog3_GS.LIBCMT ref: 00ACC2B7

Strings

.dll, xrefs: 00ACC335, 00ACC342
.ni.dll, xrefs: 00ACC2EB, 00ACC2F8

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: H_prolog3_
String ID: .dll$.ni.dll
API String ID: 2427045233-3712571951
Opcode ID: bb76e48c8a4029e1e9a6f43dc7e7a3f92f52d90e16547f50dfc8c5812a43641b
Instruction ID: 11787655317e002b0b4359ba891ce20aaa6be9ef7ea1d8295de1fd4eeee1e0e8
Opcode Fuzzy Hash: bb76e48c8a4029e1e9a6f43dc7e7a3f92f52d90e16547f50dfc8c5812a43641b
Instruction Fuzzy Hash: 3F211A76A001189BCF08EBA4DAA1FEDB77AAF58720F06101DF8067B291DF305D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD70D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00ACD70D(wchar_t* __ecx) {
				intOrPtr* _t4;
				short* _t8;
				int _t9;
				int _t10;
				wchar_t* _t16;
				void* _t17;

				_t16 = __ecx;
				if(E00ACA390(__ecx) != 0) {
					L4:
					_t4 =  *0xad1704; // 0x3463d68
					_t10 = 0;
					 *0xad2204(_t4, 0, 0x1a, _t16, _t17);
					 *((intOrPtr*)( *_t4 + 4))();
				} else {
					_t8 = wcsrchr(_t16, 0x2e);
					if(_t8 == 0) {
						goto L4;
					} else {
						_t10 = 1;
						_t9 = CompareStringW(0x7f, 1, _t8, 0xffffffff, L".psc1", 5);
						if(_t9 == 0 || _t9 != 2) {
							goto L4;
						}
					}
				}
				return _t10;
			}

0x00acd711
0x00acd71b
0x00acd74b
0x00acd74b
0x00acd750
0x00acd75d
0x00acd763
0x00acd71d
0x00acd720
0x00acd72a
0x00000000
0x00acd72c
0x00acd738
0x00acd73c
0x00acd744
0x00000000
0x00000000
0x00acd744
0x00acd72a
0x00acd76e

APIs

wcsrchr.MSVCRT ref: 00ACD720
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.psc1,00000005), ref: 00ACD73C

Strings

.psc1, xrefs: 00ACD72E

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: CompareStringwcsrchr
String ID: .psc1
API String ID: 732174003-2589272243
Opcode ID: 4262c0d5b1858cde12afae4825a2005dd07a9f45b071e3dcde332deafd0e98a0
Instruction ID: 4d1be8f4c03b6434804111955a95cde2a10f3abba689f6fec2137691908a9a9e
Opcode Fuzzy Hash: 4262c0d5b1858cde12afae4825a2005dd07a9f45b071e3dcde332deafd0e98a0
Instruction Fuzzy Hash: 9AF0F0312402007FE6208B949D9EF773B6CCBD3B65B02442EF122D70E0DAA09C02CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00ACDB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00ACDB60(void* __ecx, void* __esi, intOrPtr _a8, long _a12, char _a16) {
				short _v8;
				char* _v12;
				void* _t11;
				long _t12;

				_v12 =  &_a16;
				_t11 =  *0xad1928; // 0x0
				_v8 = 0;
				_t25 = _t11;
				if(_t11 == 0) {
					_push(0);
					_t11 = E00ACECCC(_t25, 8);
					 *0xad1928 = _t11;
				}
				_t12 = FormatMessageW(0x900, _t11, _a12, 0,  &_v8, 0,  &_v12);
				if(_t12 != 0) {
					E00ACE5AC(_a8, _v8, _t12);
					return LocalFree(_v8);
				}
				return _t12;
			}

0x00acdb6d
0x00acdb70
0x00acdb75
0x00acdb78
0x00acdb7a
0x00acdb7c
0x00acdb85
0x00acdb8a
0x00acdb8a
0x00acdba2
0x00acdbab
0x00acdbb4
0x00000000
0x00acdbbc
0x00acdbc3

APIs

FormatMessageW.KERNEL32(00000900,00000000,?,00000000,?,00000000,?), ref: 00ACDBA2
LocalFree.KERNEL32(?,00000000), ref: 00ACDBBC

Part of subcall function 00ACECCC: LoadLibraryExW.KERNEL32(powershell.exe,00000000,00000000,?,00000000), ref: 00ACED05
Part of subcall function 00ACECCC: SearchPathW.KERNEL32(00000000,powershell.exe,00000000,00000104,?,?,?,00000000), ref: 00ACED3C
Part of subcall function 00ACECCC: FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,00000000), ref: 00ACED78
Part of subcall function 00ACECCC: GetUserDefaultUILanguage.KERNEL32(?,00000000), ref: 00ACED93

Strings

powershell.exe, xrefs: 00ACDB80

Memory Dump Source

Source File: 00000000.00000002.704615943.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000000.00000002.704561834.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704801424.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.704853752.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.705229402.0000000000B24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ac0000_powershell.jbxd

Similarity

API ID: DefaultFindFormatFreeLanguageLibraryLoadLocalMessagePathResourceSearchUser
String ID: powershell.exe
API String ID: 440610979-1966016403
Opcode ID: 3dd075ae0a31c293f03c43ca359fb77aa080aa0f2700d783e97866d45789b649
Instruction ID: c8b06188a54d09f5f16bcebfba3db5858379d46859f423c21aacb50470787858
Opcode Fuzzy Hash: 3dd075ae0a31c293f03c43ca359fb77aa080aa0f2700d783e97866d45789b649
Instruction Fuzzy Hash: 80F03772602219BBDB10DFD5DD19FEF7BADFB48750F11415AF902A2150EA709E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report powershell.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqblenui.nu5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyke4on2.1v5.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: powershell.exePID: 6928, Parent PID: 3464

General

Chronological Activities

Analysis Process: conhost.exePID: 6936, Parent PID: 6928

General

Windows Analysis Report
powershell.exe

Function 00ACD283 Relevance: 49.4, APIs: 17, Strings: 11, Instructions: 393
comregistryCOMMON

Function 00AC96A0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 395
registryCOMMONCrypto

Function 00ACA0E0 Relevance: 15.3, APIs: 10, Instructions: 256
registrywindowCOMMONCrypto

Function 00ACB4F0 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 07C394D8 Relevance: .7, Instructions: 717
COMMON

Function 00AC90E0 Relevance: 47.7, APIs: 20, Strings: 7, Instructions: 444
registrythreadCOMMON

Function 00AC9B00 Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 489
registrywindowCOMMON

Function 00ACADA3 Relevance: 10.6, APIs: 7, Instructions: 105
sleepCOMMON

Function 00ACE3BE Relevance: 9.1, APIs: 6, Instructions: 53
COMMON

Function 00ACD7FE Relevance: 6.1, APIs: 4, Instructions: 58
comCOMMON

Function 00ACAD70 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 07C37E56 Relevance: .4, Instructions: 378
COMMON

Function 07C38580 Relevance: .2, Instructions: 247
COMMON

Function 07C37ACE Relevance: .2, Instructions: 234
COMMON

Function 07C36188 Relevance: .2, Instructions: 195
COMMON

Function 00ACA3B0 Relevance: 13.7, APIs: 9, Instructions: 191
windowCOMMON

Function 00ACD76F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
fileCOMMON

Function 00ACB715 Relevance: 7.6, APIs: 5, Instructions: 50
timethreadCOMMON

Function 00ACB17C Relevance: 6.0, APIs: 4, Instructions: 13
COMMONLIBRARYCODE

Function 00ACEB31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Function 00ACE80D Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Function 00ACE702 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00ACECCC Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 273
libraryCOMMON

Function 00ACE035 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 286
comCOMMON

Function 00ACE75F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
registryCOMMON

Function 00ACEAAE Relevance: 9.1, APIs: 6, Instructions: 62
filelibraryCOMMON

Function 00ACF994 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94
COMMON

Function 00ACDBC4 Relevance: 7.6, APIs: 5, Instructions: 134
fileCOMMON

Function 00ACA830 Relevance: 7.6, APIs: 5, Instructions: 55
COMMON