Windows Analysis Report
R4WCgDAfHB.exe

Overview

General Information

Sample name: R4WCgDAfHB.exe
renamed because original name is a hash value
Original sample name: 8595a9cecbac3bd363c30c7ab2bec849.exe
Analysis ID: 1532151
MD5: 8595a9cecbac3bd363c30c7ab2bec849
SHA1: 5a154a7472cc4afa18f414a3edf8f3ff7a2a51e2
SHA256: df2b80bb68e829de13051a9781e096b095a90b676ab1f974284bad8609775040
Tags: exeuser-abuse_ch
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Deletes itself after installation
Drops HTML or HTM files to system directories
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Epmap Connection
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: R4WCgDAfHB.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Avira: detection malicious, Label: TR/Agent.fvzxi
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Avira: detection malicious, Label: TR/CoinMiner.ivyoo
Multi AV Scanner detection for domain / URL
Source: contr.netmows.com Virustotal: Detection: 5% Perma Link
Source: http://appbols.vivoios.com:8587/smb.exe Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: R4WCgDAfHB.exe ReversingLabs: Detection: 81%
Source: R4WCgDAfHB.exe Virustotal: Detection: 79% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: R4WCgDAfHB.exe Joe Sandbox ML: detected

Exploits
barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.0.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.0:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.127:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.126:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.123:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.122:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.125:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.124:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.121:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.120:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.50:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.119:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.116:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.115:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.118:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.117:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.102:445 Jump to behavior
Connects to many different private IPs via SMB (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.0.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.0:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.127:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.126:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.123:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.122:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.125:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.124:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.121:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.120:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.50:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.119:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.116:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.115:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.118:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.117:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.0.102:445 Jump to behavior

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 2.3.NvwmiShell.exe.217731f.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.Network64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Network64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.4141872839.00000000009EA000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.2804854911.00000000009EA000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NvwmiShell.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Network64.exe PID: 2996, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: stratum+ssl://
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Uses 32bit PE files
Source: R4WCgDAfHB.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: R4WCgDAfHB.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2830483 - Severity 1 - ETPRO MALWARE Observed Malicious User-Agent (WinInetGet/) : 192.168.2.4:50024 -> 114.215.199.192:80
Uses dynamic DNS services
Source: unknown DNS query: name: ddns.oray.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 45.137.222.18:8686
Source: global traffic TCP traffic: 192.168.2.4:50036 -> 141.255.164.11:5582
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10004960 select,__WSAFDIsSet,recv, 1_3_10004960
Source: global traffic HTTP traffic detected: GET /checkip HTTP/1.1User-Agent: WinInetGet/0.1Host: ddns.oray.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: contr.netmows.com
Source: global traffic DNS traffic detected: DNS query: ddns.oray.com
Source: global traffic DNS traffic detected: DNS query: pool.autocoreb.com
Source: HelpSystem.exe, HelpSystem.exe, 0000000A.00000002.4143694144.0000000010013000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://appbols.vivoios.com:8587/smb.exe
Source: HelpSystem.exe, 0000000A.00000002.4143694144.0000000010013000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://appbols.vivoios.com:8587/smb.exeX
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: NvwmiShell.exe, 00000002.00000003.2781877794.0000000004970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesi
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000004970000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000005370000.00000004.00000020.00020000.00000000.sdmp, HelpSystem.exe.2.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: HelpSystem.exe, 0000000A.00000002.4141453934.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddns.oray.com/checkip
Source: HelpSystem.exe, 0000000A.00000002.4143694144.0000000010001000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://ddns.oray.com/checkip(
Source: HelpSystem.exe, 0000000A.00000002.4141453934.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddns.oray.com/checkip7
Source: HelpSystem.exe, 0000000A.00000002.4141453934.00000000006E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddns.oray.com/checkipSystem32
Source: HelpSystem.exe, 0000000A.00000002.4141453934.000000000069A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddns.oray.com/checkipl
Source: NvwmiShell.exe, 00000002.00000003.2781877794.0000000003F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.global
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000004970000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000005370000.00000004.00000020.00020000.00000000.sdmp, HelpSystem.exe.2.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://s.symcd.com06
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000004970000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, NvwmiShell.exe, 00000002.00000003.2781877794.0000000005370000.00000004.00000020.00020000.00000000.sdmp, HelpSystem.exe.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://sf.symcd.com0&
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://www.360.cn
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: NvwmiShell.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: R4WCgDAfHB.exe, HelpSystem.exe.2.dr, NvwmiShell.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: R4WCgDAfHB.exe, NvwmiShell.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/03
Potential key logger detected (key state polling based)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_008891F1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_008891F1

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.HelpSystem.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Samples related to APT17 activity - file FXSST.DLL Author: Florian Roth
Source: 2.3.NvwmiShell.exe.217731f.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 12.0.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 12.0.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 12.2.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 12.2.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 2.3.NvwmiShell.exe.217731f.0.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 2.3.NvwmiShell.exe.21630df.3.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000C.00000001.2805127434.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000C.00000002.4141120724.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000C.00000000.2804283551.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000002.00000003.2738458849.0000000002163000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Abnormal high CPU Usage
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Process Stats: CPU usage > 49%
Creates driver files
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe File created: C:\Windows\SystemNvwmiShell Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe File created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Windows\SystemNvwmiShell\NvwmiShell.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\checkip[1].htm Jump to behavior
Deletes files inside the Windows folder
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe File deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\checkip[1].htm Jump to behavior
Detected potential crypto function
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1000ED13 1_3_1000ED13
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10007245 1_3_10007245
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1000F257 1_3_1000F257
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1001065D 1_3_1001065D
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10002B00 1_3_10002B00
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1000AF8B 1_3_1000AF8B
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1000F79B 1_3_1000F79B
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_008908D8 1_2_008908D8
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_008900F8 1_2_008900F8
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0089C283 1_2_0089C283
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0088AA49 1_2_0088AA49
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0089E3F1 1_2_0089E3F1
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_008904CC 1_2_008904CC
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00890CF8 1_2_00890CF8
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0089D403 1_2_0089D403
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0088FC23 1_2_0088FC23
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0089CD0B 1_2_0089CD0B
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0089C7C7 1_2_0089C7C7
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00892769 1_2_00892769
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_00402D3A 10_2_00402D3A
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_10006BB9 10_2_10006BB9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Found potential string decryption / allocating functions
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: String function: 0088F10F appears 66 times
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: String function: 008912C0 appears 44 times
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: String function: 10007180 appears 31 times
PE / OLE file has an invalid certificate
Source: R4WCgDAfHB.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: R4WCgDAfHB.exe, 00000000.00000000.1682546809.00000000003EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNvwmi64.exeH vs R4WCgDAfHB.exe
Source: R4WCgDAfHB.exe, 00000000.00000003.1691860964.00000000031FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNvwmi64.exeH vs R4WCgDAfHB.exe
Source: R4WCgDAfHB.exe, 00000000.00000003.1718951677.0000000007D76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNvwmi64.exeH vs R4WCgDAfHB.exe
Source: R4WCgDAfHB.exe Binary or memory string: OriginalFilenameNvwmi64.exeH vs R4WCgDAfHB.exe
Uses 32bit PE files
Source: R4WCgDAfHB.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 10.2.HelpSystem.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT17_Sample_FXSST_DLL date = 2015-05-14, author = Florian Roth, description = Detects Samples related to APT17 activity - file FXSST.DLL, reference = https://goo.gl/ZiJyQv, hash = 52f1add5ad28dc30f68afda5d41b354533d8bce3
Source: 2.3.NvwmiShell.exe.217731f.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 12.0.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 12.0.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 12.2.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 12.2.Network64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 2.3.NvwmiShell.exe.217731f.0.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 2.3.NvwmiShell.exe.21630df.3.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000C.00000001.2805127434.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000C.00000002.4141120724.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000C.00000000.2804283551.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000002.00000003.2738458849.0000000002163000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: WinRing0x64.sys.2.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.troj.expl.evad.mine.winEXE@15/8@6/100
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_100016E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 1_3_100016E0
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_10002800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 10_2_10002800
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: _memset,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,StartServiceA,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 1_3_100019D0
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00882035 FindResourceA, 1_2_00882035
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_100019D0 _memset,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,StartServiceA,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 1_3_100019D0
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10001D30 Sleep,StartServiceCtrlDispatcherA, 1_3_10001D30
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Program Files (x86)\Microsoft Network Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Command line argument: X@ 10_2_00405830
Source: R4WCgDAfHB.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: R4WCgDAfHB.exe ReversingLabs: Detection: 81%
Source: R4WCgDAfHB.exe Virustotal: Detection: 79%
Source: Network64.exe String found in binary or memory: --help
Source: Network64.exe String found in binary or memory: --help
Source: Network64.exe String found in binary or memory: rget,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limit) { *(p++)=S_SETPC_B64_S12_13; return p; } } while (!done); } *(p++)=S_SETPC_B64_S12_13; return p; } __attribute__((reqd_work_group_size(64,1,1))) __kernel void randomx_jit(_
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe File read: C:\Users\user\Desktop\R4WCgDAfHB.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\R4WCgDAfHB.exe "C:\Users\user\Desktop\R4WCgDAfHB.exe"
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe "C:\Windows\SystemNvwmiShell\NvwmiShell.exe"
Source: unknown Process created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe C:\Windows\SystemNvwmiShell\NvwmiShell.exe
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB"
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe "C:\Program Files (x86)\Microsoft Network\HelpSystem.exe" 1
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Program Files (x86)\Microsoft Network\Network64.exe "C:\Program Files (x86)\Microsoft Network\Network64.exe" Yde5fFJFjShqKS+u9okdyvP/pj9kg/bQNXV+USrRGaecQs8AdtikoR9wVLreBlqoPAFr/LRRDydtLzX5YzQgQ1GCivTcd3opL1Xfv4SzrZQOBZVgTwOiPgknymhzPAuX3kaHX0i00NQybzCyaJaj7nJOK0DHJVp09YDF1A==
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe "C:\Windows\SystemNvwmiShell\NvwmiShell.exe" Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB" Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe "C:\Program Files (x86)\Microsoft Network\HelpSystem.exe" 1 Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Program Files (x86)\Microsoft Network\Network64.exe "C:\Program Files (x86)\Microsoft Network\Network64.exe" Yde5fFJFjShqKS+u9okdyvP/pj9kg/bQNXV+USrRGaecQs8AdtikoR9wVLreBlqoPAFr/LRRDydtLzX5YzQgQ1GCivTcd3opL1Xfv4SzrZQOBZVgTwOiPgknymhzPAuX3kaHX0i00NQybzCyaJaj7nJOK0DHJVp09YDF1A== Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB" Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: R4WCgDAfHB.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: NvwmiShell.exe, 00000002.00000003.2738458849.000000000275E000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr
Source: R4WCgDAfHB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: R4WCgDAfHB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: R4WCgDAfHB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: R4WCgDAfHB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: R4WCgDAfHB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10001C50 LoadLibraryW,GetProcAddress,FreeLibrary, 1_3_10001C50
PE file contains an invalid checksum
Source: R4WCgDAfHB.exe Static PE information: real checksum: 0x65ed9 should be: 0x67b71
PE file contains sections with non-standard names
Source: Network64.exe.2.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10007851 push ecx; ret 1_3_10007864
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10017D60 push ebx; retf 1_3_10017D69
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_100171E8 push eax; iretd 1_3_100171E9
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10021F82 push 86867811h; iretd 1_3_10021F87
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0088F1E7 push ecx; ret 1_2_0088F1FA
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00891305 push ecx; ret 1_2_00891318
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_00403461 push ecx; ret 10_2_00403474
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_0043C7FE push eax; iretd 10_2_0043C800
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_1000C574 push ecx; ret 10_2_1000C587
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_100071C5 push ecx; ret 10_2_100071D8
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Drops HTML or HTM files to system directories
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\checkip[1].htm Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Executable created and started: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Jump to behavior
Sample is not signed and drops a device driver
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe File created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Jump to dropped file
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys Jump to dropped file
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Program Files (x86)\Microsoft Network\Network64.exe Jump to dropped file
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File created: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe File created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Jump to dropped file
Creates or modifies windows services
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells Jump to behavior
Modifies existing windows services
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_100019D0 _memset,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,StartServiceA,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 1_3_100019D0

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe File deleted: c:\users\user\desktop\r4wcgdafhb.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00886B5A IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00886B5A
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe System information queried: FirmwareTableInformation Jump to behavior
Contains functionality to query network adapater information
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: _malloc,GetAdaptersInfo,_malloc,lstrlen,GetAdaptersInfo, 10_2_10003100
Contains long sleeps (>= 3 min)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Thread delayed: delay time: 3600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Window / User API: threadDelayed 641 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 4817 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Window / User API: threadDelayed 9098 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Window / User API: threadDelayed 892 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Dropped PE file which has not been started: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Jump to dropped file
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 7416 Thread sleep count: 143 > 30 Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 7412 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 7412 Thread sleep time: -421200000s >= -30000s Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 8072 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 8072 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 6752 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe TID: 6752 Thread sleep time: -53000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe TID: 5592 Thread sleep count: 641 > 30 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe TID: 5940 Thread sleep count: 9098 > 30 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe TID: 3300 Thread sleep count: 892 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Thread delayed: delay time: 3600000 Jump to behavior
Source: Network64.exe, 0000000C.00000002.4142356939.0000000000F68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo
Source: HelpSystem.exe, 0000000A.00000002.4141453934.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, HelpSystem.exe, 0000000A.00000002.4141453934.000000000069A000.00000004.00000020.00020000.00000000.sdmp, Network64.exe, 0000000C.00000002.4142356939.0000000000F68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Network64.exe, 0000000C.00000002.4142356939.0000000000F68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: HelpSystem.exe, 0000000A.00000002.4141453934.00000000006E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx<
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10006718 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_3_10006718
Contains functionality to dynamically determine API calls
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10001C50 LoadLibraryW,GetProcAddress,FreeLibrary, 1_3_10001C50
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10002840 FreeLibrary,FreeLibrary,VirtualFree,GetProcessHeap,HeapFree, 1_3_10002840
Enables debug privileges
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10006718 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_3_10006718
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1000FF2F _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_3_1000FF2F
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_100053BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_3_100053BA
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00893AAA SetUnhandledExceptionFilter, 1_2_00893AAA
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_00897AEE __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00897AEE
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_008953AB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_008953AB
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_2_0088E5F7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0088E5F7
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_00402033 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00402033
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_004078F8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__amsg_exit, 10_2_004078F8
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_00405085 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00405085
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_00403CAE SetUnhandledExceptionFilter, 10_2_00403CAE
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_1000628F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_1000628F
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_10003C98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_10003C98
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: 10_2_1000C59A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_1000C59A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\R4WCgDAfHB.exe Process created: C:\Windows\SystemNvwmiShell\NvwmiShell.exe "C:\Windows\SystemNvwmiShell\NvwmiShell.exe" Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 1_2_00882175
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: GetLocaleInfoA, 1_2_0089BF26
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: GetLocaleInfoA, 10_2_00407A18
Source: C:\Program Files (x86)\Microsoft Network\HelpSystem.exe Code function: GetLocaleInfoA, 10_2_1000D85B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_1000516E GetSystemTimeAsFileTime,__aulldiv, 1_3_1000516E
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Code function: 1_3_10001CA0 _memset,GetVersionExA, 1_3_10001CA0
Source: C:\Program Files (x86)\Microsoft Network\Network64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Windows\SystemNvwmiShell\NvwmiShell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB"
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB"
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532151 Sample: R4WCgDAfHB.exe Startdate: 12/10/2024 Architecture: WINDOWS Score: 100 43 ddns.oray.com 2->43 45 pool.autocoreb.com 2->45 47 contr.netmows.com 2->47 69 Multi AV Scanner detection for domain / URL 2->69 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 77 8 other signatures 2->77 8 NvwmiShell.exe 11 2->8         started        12 R4WCgDAfHB.exe 1 3 2->12         started        signatures3 75 Uses dynamic DNS services 43->75 process4 file5 33 C:\Program Files (x86)\...\WinRing0x64.sys, PE32+ 8->33 dropped 35 C:\Program Files (x86)\...35etwork64.exe, PE32+ 8->35 dropped 37 C:\Program Files (x86)\...\HelpSystem.exe, PE32 8->37 dropped 79 Found strings related to Crypto-Mining 8->79 81 Deletes itself after installation 8->81 83 Sample is not signed and drops a device driver 8->83 14 HelpSystem.exe 14 8->14         started        19 cmd.exe 1 8->19         started        21 Network64.exe 1 8->21         started        39 C:\Windows\SystemNvwmiShell39vwmiShell.exe, PE32 12->39 dropped 85 Drops executables to the windows directory (C:\Windows) and starts them 12->85 23 NvwmiShell.exe 1 12->23         started        signatures6 process7 dnsIp8 49 192.168.12.100 unknown unknown 14->49 51 192.168.12.101 unknown unknown 14->51 53 98 other IPs or domains 14->53 41 C:\Windows\SysWOW64\config\...\checkip[1].htm, ASCII 14->41 dropped 55 Connects to many different private IPs via SMB (likely to spread or exploit) 14->55 57 Connects to many different private IPs (likely to spread or exploit) 14->57 59 Drops HTML or HTM files to system directories 14->59 25 conhost.exe 14->25         started        61 Uses netsh to modify the Windows network and firewall settings 19->61 27 netsh.exe 2 19->27         started        29 conhost.exe 19->29         started        63 Query firmware table information (likely to detect VMs) 21->63 31 conhost.exe 21->31         started        65 Antivirus detection for dropped file 23->65 67 Modifies the windows firewall 23->67 file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.148
192.168.4.67
192.168.2.149
192.168.4.68
192.168.2.146
192.168.4.65
192.168.2.147
192.168.4.66
192.168.12.127
192.168.12.128
192.168.4.69
192.168.12.129
192.168.2.140
192.168.12.123
192.168.2.141
192.168.4.60
192.168.12.124
192.168.12.125
192.168.12.126
192.168.2.144
192.168.4.63
192.168.2.145
192.168.4.64
192.168.12.120
192.168.2.142
192.168.4.61
192.168.12.121
192.168.2.143
192.168.4.62
192.168.12.122
192.168.2.159
192.168.4.56
192.168.4.57
192.168.2.157
192.168.4.54
192.168.2.158
192.168.4.55
192.168.12.116
192.168.12.117
192.168.4.58
192.168.12.118
192.168.4.59
192.168.12.119
192.168.2.151
192.168.12.112
192.168.2.152
192.168.12.113
192.168.12.114
192.168.2.150
192.168.12.115
192.168.2.155
192.168.4.52
192.168.2.156
192.168.4.53
192.168.2.153
192.168.4.50
192.168.12.110
192.168.2.154
192.168.4.51
192.168.12.111
192.168.2.126
192.168.4.45
192.168.12.109
192.168.2.127
192.168.4.46
192.168.2.124
192.168.4.43
192.168.2.125
192.168.4.44
192.168.4.49
192.168.12.105
192.168.12.106
192.168.2.128
192.168.4.47
192.168.12.107
192.168.2.129
192.168.4.48
192.168.12.108
192.168.12.101
192.168.12.102
192.168.12.103
192.168.12.104
192.168.2.122
192.168.4.41
192.168.2.123
192.168.4.42
192.168.2.120
192.168.2.121
192.168.4.40
192.168.12.100
192.168.4.29
192.168.2.137
192.168.4.34
192.168.2.138
192.168.4.35
192.168.2.135
192.168.4.32
192.168.2.136
192.168.4.33
192.168.4.38

Contacted Domains

Name IP Active
ddns.oray.com 114.215.199.192 true
contr.netmows.com 45.137.222.18 true
pool.autocoreb.com 116.202.251.6 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ddns.oray.com/checkip true unknown