Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1338.exe

Overview

General Information

Sample Name:1338.exe
Analysis ID:633539
MD5:ac711e6653707f0b1d245ff40d95385f
SHA1:279b9abaf000303983d6ecfb91e8b221b00fb198
SHA256:909409814d725477622728168035c3f2d259b5d8aa1ca77403d8c259bd7aba63
Tags:exe
Infos:

Detection

BitCoin Miner, SilentXMRMiner, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Antivirus / Scanner detection for submitted sample
Yara detected SilentXMRMiner
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected BitCoin Miner
Modifies power options to not sleep / hibernate
Writes to foreign memory regions
Found strings related to Crypto-Mining
Encrypted powershell cmdline option found
Allocates memory in foreign processes
Creates files in the system32 config directory
Injects a PE file into a foreign processes
Obfuscated command line found
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Potential dropper URLs found in powershell memory
Uses powercfg.exe to modify the power settings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 1338.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\1338.exe" MD5: AC711E6653707F0B1D245FF40D95385F)
    • conhost.exe (PID: 7056 cmdline: C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7124 cmdline: C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6280 cmdline: powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 4992 cmdline: "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powercfg.exe (PID: 4680 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 6868 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 3392 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 6448 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • cmd.exe (PID: 6832 cmdline: "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7000 cmdline: schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 2508 cmdline: C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6772 cmdline: schtasks /run /tn "GoogleUpdateTaskMachineQC" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • updater.exe (PID: 6800 cmdline: C:\Program Files\Google\Chrome\updater.exe MD5: AC711E6653707F0B1D245FF40D95385F)
    • conhost.exe (PID: 6936 cmdline: C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3552 cmdline: C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6476 cmdline: powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 2252 cmdline: "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powercfg.exe (PID: 5800 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 6768 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 7100 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
        • powercfg.exe (PID: 4556 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\System32\conhost.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 6236 cmdline: C:\Windows\System32\conhost.exe" "ossgiopsxz MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: conhost.exe PID: 6936CoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
      • 0x81eb3:$sa1: stratum+tcp://
      • 0x85ca7:$sa1: stratum+tcp://
      • 0x12d467:$sa1: stratum+tcp://
      • 0x13125b:$sa1: stratum+tcp://
      Process Memory Space: conhost.exe PID: 6936JoeSecurity_bitcoinminerYara detected BitCoin MinerJoe Security
        Process Memory Space: conhost.exe PID: 6936JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          Click to see the 1 entries
          SourceRuleDescriptionAuthorStrings
          24.2.conhost.exe.27e10da3ca8.5.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            24.2.conhost.exe.27e10da3ca8.5.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              24.2.conhost.exe.27e112a3ce0.6.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                24.2.conhost.exe.27e10b23c70.4.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  24.2.conhost.exe.27e112a3ce0.6.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 1338.exeVirustotal: Detection: 68%Perma Link
                    Source: 1338.exeMetadefender: Detection: 33%Perma Link
                    Source: 1338.exeReversingLabs: Detection: 73%
                    Source: 1338.exeAvira: detected
                    Source: C:\Program Files\Google\Chrome\updater.exeAvira: detection malicious, Label: HEUR/AGEN.1205338
                    Source: C:\Program Files\Google\Chrome\updater.exeVirustotal: Detection: 68%Perma Link
                    Source: C:\Program Files\Google\Chrome\updater.exeMetadefender: Detection: 33%Perma Link
                    Source: C:\Program Files\Google\Chrome\updater.exeReversingLabs: Detection: 73%

                    Bitcoin Miner

                    barindex
                    Source: Yara matchFile source: 24.2.conhost.exe.27e10da3ca8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e10da3ca8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e112a3ce0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e10b23c70.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 24.2.conhost.exe.27e112a3ce0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTR
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://-:x@exit:0
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://-:x@exit:0
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\LibsJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\TelemetryJump to behavior
                    Source: Binary string: H:\CRYPTOCOIN\Mandark-master\obj\x64\Release\ClassLibrary.pdb source: conhost.exe, 00000018.00000002.674440898.0000027E779F0000.00000004.08000000.00040000.00000000.sdmp

                    Networking

                    barindex
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
                    Source: powershell.exe, 00000004.00000002.479136799.000002986A060000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000003.532650408.0000023C451E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: powershell.exe, 00000004.00000002.479466307.000002986A4C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: powershell.exe, 00000004.00000003.442875745.000002986A154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: powershell.exe, 00000004.00000003.442875745.000002986A154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.coji
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: conhost.exe, 00000001.00000002.516335707.000002779FFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.469069937.0000029851FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.599425355.0000023C45321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/licenses/
                    Source: conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonrpc.org/
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000004.00000002.469456893.00000298521EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: conhost.exe, 00000018.00000002.655565529.0000027E1095A000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000018.00000002.661999485.0000027E112A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/openwall/john/issues/3454#issuecomment-436899959
                    Source: powershell.exe, 00000004.00000002.478242785.00000298536E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000004.00000002.478394402.0000029862043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000004.00000002.479136799.000002986A060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.vign.

                    System Summary

                    barindex
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: Process Memory Space: conhost.exe PID: 6936, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_frzn2qj0.jw3.ps1
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE891061_2_000002779DE89106
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE894D61_2_000002779DE894D6
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE884D21_2_000002779DE884D2
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE8990E1_2_000002779DE8990E
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_000002779DE89D6A1_2_000002779DE89D6A
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FF9F1C358CE1_2_00007FF9F1C358CE
                    Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FF9F1C34B1E1_2_00007FF9F1C34B1E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9F1B519584_2_00007FF9F1B51958
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F910624_2_0000027E764F9106
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F94D624_2_0000027E764F94D6
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F84D224_2_0000027E764F84D2
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F990E24_2_0000027E764F990E
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_0000027E764F9D6A24_2_0000027E764F9D6A
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C04AA624_2_00007FF9F1C04AA6
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C0585224_2_00007FF9F1C05852
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C003D824_2_00007FF9F1C003D8
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B50D641_2_00000286977B50D6
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B4D0641_2_00000286977B4D06
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B596A41_2_00000286977B596A
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B550E41_2_00000286977B550E
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00000286977B40D241_2_00000286977B40D2
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00007FF9F1C0453641_2_00007FF9F1C04536
                    Source: C:\Windows\System32\conhost.exeCode function: 41_2_00007FF9F1C052E241_2_00007FF9F1C052E2
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_004019C6 NtAllocateVirtualMemory,0_2_004019C6
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_00401946 NtCreateThreadEx,0_2_00401946
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_00401A06 NtProtectVirtualMemory,0_2_00401A06
                    Source: C:\Users\user\Desktop\1338.exeCode function: 0_2_00401986 NtWriteVirtualMemory,0_2_00401986
                    Source: C:\Windows\System32\conhost.exeCode function: 24_2_00007FF9F1C0690E NtUnmapViewOfSection,24_2_00007FF9F1C0690E
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00401946 NtCreateThreadEx,37_2_00401946
                    Source: C:\Windows\System32\conhost.exeCode function: 37_2_00401986 NtWriteVirtualMemory,37_2_00401986
                    Source: Joe Sandbox ViewDropped File: C:\Program Files\Google\Chrome\updater.exe 909409814D725477622728168035C3F2D259B5D8AA1CA77403D8C259BD7ABA63
                    Source: 1338.exeStatic PE information: Section: .rdata ZLIB complexity 0.999571628982
                    Source: updater.exe.1.drStatic PE information: Section: .rdata ZLIB complexity 0.999571628982
                    Source: 1338.exeVirustotal: Detection: 68%
                    Source: 1338.exeMetadefender: Detection: 33%
                    Source: 1338.exeReversingLabs: Detection: 73%
                    Source: 1338.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\1338.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\1338.exe "C:\Users\user\Desktop\1338.exe"
                    Source: C:\Users\user\Desktop\1338.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exe
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /run /tn "GoogleUpdateTaskMachineQC"
                    Source: unknownProcess created: C:\Program Files\Google\Chrome\updater.exe C:\Program Files\Google\Chrome\updater.exe
                    Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "ossgiopsxz
                    Source: C:\Users\user\Desktop\1338.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\1338.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQCJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /run /tn "GoogleUpdateTaskMachineQC"Jump to behavior
                    Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4AJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAG0AbwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdwBrAHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAHkAdQAjAD4A"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "ossgiopsxzJump to behavior
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%vsacxjoagfdpyf%'
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luxykyrv.0d4.ps1Jump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@52/13@0/0
                    Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5952:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4452:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 1338.exeStatic file information: File size 1951744 > 1048576
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\LibsJump to behavior
                    Source: C:\Windows\System32\conhost.exeDirectory created: C:\Program Files\Google\TelemetryJump to behavior
                    Source: 1338.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1dac00